Merge remote-tracking branch 'origin/main' into protobuf-response-type

New Crowdin translations by GitHub Action

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -208,7 +208,7 @@
 /pkg/tests/apis/shorturl @grafana/sharing-squad
 /pkg/tests/api/correlations/ @grafana/datapro
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
-/pkg/tsdb/opentsdb/ @grafana/partner-datasources
+/pkg/tsdb/opentsdb/ @grafana/oss-big-tent
 /pkg/util/ @grafana/grafana-backend-group
 /pkg/web/ @grafana/grafana-backend-group
 
@@ -260,7 +260,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad
 /devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-opentsdb/ @grafana/oss-big-tent
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-loki/ @grafana/plugins-platform-frontend
@@ -307,7 +307,7 @@
 /devenv/docker/blocks/mysql_exporter/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_opendata/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_tests/ @grafana/oss-big-tent
-/devenv/docker/blocks/opentsdb/ @grafana/partner-datasources
+/devenv/docker/blocks/opentsdb/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres_tests/ @grafana/oss-big-tent
 /devenv/docker/blocks/prometheus/ @grafana/oss-big-tent
@@ -520,7 +520,7 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /e2e-playwright/various-suite/solo-route.spec.ts @grafana/dashboards-squad
 /e2e-playwright/various-suite/trace-view-scrolling.spec.ts @grafana/observability-traces-and-profiling
 /e2e-playwright/various-suite/verify-i18n.spec.ts @grafana/grafana-frontend-platform
-/e2e-playwright/various-suite/visualization-suggestions.spec.ts @grafana/dashboards-squad
+/e2e-playwright/various-suite/visualization-suggestions.spec.ts @grafana/dataviz-squad
 /e2e-playwright/various-suite/perf-test.spec.ts @grafana/grafana-frontend-platform
 
 # Packages
@@ -956,6 +956,7 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/features/notifications/ @grafana/grafana-search-navigate-organise
 /public/app/features/org/ @grafana/grafana-search-navigate-organise
 /public/app/features/panel/ @grafana/dashboards-squad
+/public/app/features/panel/components/VizTypePicker/VisualizationSuggestions.tsx @grafana/dataviz-squad
 /public/app/features/panel/suggestions/ @grafana/dataviz-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
@@ -1100,7 +1101,7 @@ eslint-suppressions.json @grafanabot
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
-/public/app/plugins/datasource/opentsdb/ @grafana/partner-datasources
+/public/app/plugins/datasource/opentsdb/ @grafana/oss-big-tent
 /public/app/plugins/datasource/grafana-postgresql-datasource/ @grafana/oss-big-tent
 /public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources

.github/workflows/pr-patch-check-event.yml

@@ -12,6 +12,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  statuses: write
 
 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.

.github/workflows/pr-patch-check.yml

@@ -29,6 +29,10 @@ permissions:
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
   dispatch-job:
+    # If the source is not from a fork then dispatch the job to the workflow.
+    # This will fail on forks when trying to broker a token, so instead, forks will create the required status and mark
+    # it as a success
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
     env:
       HEAD_REF: ${{ inputs.head_ref }}
       BASE_REF: ${{ github.base_ref }}
@@ -76,3 +80,20 @@ jobs:
                   triggering_github_handle: SENDER
                 }
             })
+  dispatch-job-fork:
+    # If the source is from a fork then use the built-in workflow token to create the same status and unconditionally
+    # mark it as a success.
+    if: ${{ github.event.pull_request.head.repo.fork }}
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create status
+        uses: myrotvorets/set-commit-status-action@6d6905c99cd24a4a2cbccc720b62dc6ca5587141
+        with:
+          token: ${{ github.token }}
+          sha: ${{ inputs.pr_commit_sha }}
+          repo: ${{ inputs.repo }}
+          status: success
+          context: "Test Patches (event)"
+          description: "Test Patches (event) on a fork"

.github/workflows/release-comms.yml

@@ -111,12 +111,13 @@ jobs:
       ownerRepo: 'grafana/grafana-enterprise'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
-  post_changelog_on_forum:
-    needs: setup
-    uses: grafana/grafana/.github/workflows/community-release.yml@main
-    with:
-      version: ${{ needs.setup.outputs.version }}
-      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
+  # Removed this for now since it doesn't work
+  # post_changelog_on_forum:
+  #   needs: setup
+  #   uses: grafana/grafana/.github/workflows/community-release.yml@main
+  #   with:
+  #     version: ${{ needs.setup.outputs.version }}
+  #     dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
   create_github_release:
     # a github release requires a git tag
     # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API

.golangci.yml

@@ -3,7 +3,7 @@
 # Others can set up the YAML LSP manually, which supports schemas: https://github.com/redhat-developer/yaml-language-server
 
 # $schema: https://golangci-lint.run/jsonschema/golangci.jsonschema.json
-version: "2"
+version: '2'
 run:
   timeout: 15m
   concurrency: 10
@@ -83,6 +83,16 @@ linters:
           deny:
             - pkg: github.com/grafana/grafana/pkg
               desc: apps/playlist is not allowed to import grafana core
+        apps-dashboard:
+          list-mode: lax
+          files:
+            - ./apps/dashboard/*
+            - ./apps/dashboard/**/*
+          allow:
+            - github.com/grafana/grafana/pkg/apimachinery
+          deny:
+            - pkg: github.com/grafana/grafana/pkg
+              desc: apps/dashboard is not allowed to import grafana core
         apps-secret:
           list-mode: lax
           files:
@@ -281,16 +291,16 @@ linters:
         text: G306
       - linters:
           - gosec
-        text: "401"
+        text: '401'
       - linters:
           - gosec
-        text: "402"
+        text: '402'
       - linters:
           - gosec
-        text: "501"
+        text: '501'
       - linters:
           - gosec
-        text: "404"
+        text: '404'
       - linters:
           - errorlint
         text: non-wrapping format verb for fmt.Errorf

apps/advisor/go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
 	k8s.io/apiserver v0.34.2
+	k8s.io/client-go v0.34.2
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 )
 
@@ -43,6 +44,7 @@ replace github.com/grafana/grafana/apps/plugins => ../plugins
 replace github.com/prometheus/alertmanager => github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 
 require (
+	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
@@ -55,6 +57,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
@@ -85,6 +88,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -101,6 +105,7 @@ require (
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gchaincl/sqlhooks v1.3.0 // indirect
 	github.com/getkin/kin-openapi v0.133.0 // indirect
@@ -144,12 +149,13 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.7.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.7.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
@@ -162,6 +168,7 @@ require (
 	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
@@ -176,6 +183,7 @@ require (
 	github.com/hashicorp/memberlist v0.5.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/jessevdk/go-flags v1.6.1 // indirect
 	github.com/jmespath-community/go-jmespath v1.1.1 // indirect
@@ -248,7 +256,9 @@ require (
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tetratelabs/wazero v1.8.2 // indirect
 	github.com/thomaspoignant/go-feature-flag v1.42.0 // indirect
@@ -256,6 +266,9 @@ require (
 	github.com/woodsbury/decimal128 v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
@@ -274,6 +287,8 @@ require (
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
@@ -297,23 +312,26 @@ require (
 	google.golang.org/grpc v1.77.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/mail.v2 v2.3.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/src-d/go-errors.v1 v1.0.0 // indirect
 	gopkg.in/telebot.v3 v3.3.8 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.34.2 // indirect
 	k8s.io/apiextensions-apiserver v0.34.2 // indirect
-	k8s.io/client-go v0.34.2 // indirect
 	k8s.io/component-base v0.34.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kms v0.34.2 // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.40.1 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect

apps/advisor/go.sum

@@ -282,6 +282,7 @@ github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03V
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cznic/b v0.0.0-20180115125044-35e9bbe41f07/go.mod h1:URriBxXwVq5ijiJ12C7iIZqlA69nTlI+LgI6/pwftG8=
 github.com/cznic/fileutil v0.0.0-20180108211300-6a051e75936f/go.mod h1:8S58EK26zhXSxzv7NQFpnliaOQsmDUxvoQO3rt154Vg=
@@ -406,6 +407,8 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
 github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
 github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
@@ -606,8 +609,10 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
 github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=
@@ -749,6 +754,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -979,6 +986,7 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/pressly/goose/v3 v3.26.0 h1:KJakav68jdH0WDvoAcj8+n61WqOIaPGgH0bJWS6jpmM=
 github.com/pressly/goose/v3 v3.26.0/go.mod h1:4hC1KrritdCxtuFsqgs1R4AU5bWtTAf+cnWvfhf2DNY=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
@@ -996,6 +1004,7 @@ github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6T
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
@@ -1010,6 +1019,7 @@ github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57J
 github.com/prometheus/exporter-toolkit v0.14.0 h1:NMlswfibpcZZ+H0sZBiTjrA3/aBFHkNZqE+iCj5EmRg=
 github.com/prometheus/exporter-toolkit v0.14.0/go.mod h1:Gu5LnVvt7Nr/oqTBUC23WILZepW0nffNo10XdhQcwWA=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
@@ -1036,6 +1046,7 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.6.0/go.mod h1:U8+INwJo3nBv1m6A/8OBXAq7Jnpspk5AxSgDyEQcea8=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
@@ -1058,6 +1069,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -1071,6 +1084,7 @@ github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
 github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
@@ -1096,6 +1110,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
@@ -1112,6 +1127,8 @@ github.com/thomaspoignant/go-feature-flag v1.42.0/go.mod h1:y0QiWH7chHWhGATb/+Xq
 github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tjhop/slog-gokit v0.1.5 h1:ayloIUi5EK2QYB8eY4DOPO95/mRtMW42lUkp3quJohc=
 github.com/tjhop/slog-gokit v0.1.5/go.mod h1:yA48zAHvV+Sg4z4VRyeFyFUNNXd3JY5Zg84u3USICq0=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@@ -1129,6 +1146,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY
 github.com/xanzy/go-gitlab v0.15.0/go.mod h1:8zdQa/ri1dfn8eS3Ir1SyfvOKlw7WBJ8DVThkpGiXrs=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1139,6 +1158,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
+go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
+go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
 go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
@@ -1149,6 +1170,12 @@ go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+
 go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
 go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
 go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
+go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
+go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
+go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
+go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.mongodb.org/mongo-driver v1.1.0/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
@@ -1301,6 +1328,7 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1712,6 +1740,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

apps/advisor/pkg/app/app.go

@@ -8,18 +8,24 @@ import (
 
 	"github.com/grafana/grafana-app-sdk/app"
 	"github.com/grafana/grafana-app-sdk/k8s"
+	appsdkapiserver "github.com/grafana/grafana-app-sdk/k8s/apiserver"
 	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana-app-sdk/operator"
 	"github.com/grafana/grafana-app-sdk/resource"
 	"github.com/grafana/grafana-app-sdk/simple"
+	advisorapi "github.com/grafana/grafana/apps/advisor/pkg/apis"
 	advisorv0alpha1 "github.com/grafana/grafana/apps/advisor/pkg/apis/advisor/v0alpha1"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkregistry"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checks"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkscheduler"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checktyperegisterer"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/setting"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/client-go/rest"
 )
 
 func New(cfg app.Config) (app.App, error) {
@@ -188,3 +194,45 @@ func GetKinds() map[schema.GroupVersion][]resource.Kind {
 		},
 	}
 }
+
+func ProvideAppInstaller(
+	authorizer authorizer.Authorizer,
+	checkRegistry checkregistry.CheckService,
+	cfg *setting.Cfg,
+	orgService org.Service,
+) (*AdvisorAppInstaller, error) {
+	provider := simple.NewAppProvider(advisorapi.LocalManifest(), nil, New)
+	pluginConfig := cfg.PluginSettings["grafana-advisor-app"]
+	specificConfig := checkregistry.AdvisorAppConfig{
+		CheckRegistry: checkRegistry,
+		PluginConfig:  pluginConfig,
+		StackID:       cfg.StackID,
+		OrgService:    orgService,
+	}
+	appCfg := app.Config{
+		KubeConfig:     rest.Config{},
+		ManifestData:   *advisorapi.LocalManifest().ManifestData,
+		SpecificConfig: specificConfig,
+	}
+
+	defaultInstaller, err := appsdkapiserver.NewDefaultAppInstaller(provider, appCfg, advisorapi.NewGoTypeAssociator())
+	if err != nil {
+		return nil, err
+	}
+
+	installer := &AdvisorAppInstaller{
+		AppInstaller: defaultInstaller,
+		authorizer:   authorizer,
+	}
+
+	return installer, nil
+}
+
+type AdvisorAppInstaller struct {
+	appsdkapiserver.AppInstaller
+	authorizer authorizer.Authorizer
+}
+
+func (a *AdvisorAppInstaller) GetAuthorizer() authorizer.Authorizer {
+	return a.authorizer
+}

apps/advisor/pkg/app/authorizer.go

@@ -1,47 +0,0 @@
-package app
-
-import (
-	"context"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func GetAuthorizer() authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(func(
-		ctx context.Context, attr authorizer.Attributes,
-	) (authorized authorizer.Decision, reason string, err error) {
-		if !attr.IsResourceRequest() {
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// Check for service identity
-		if identity.IsServiceIdentity(ctx) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		// Check for access policy identity
-		info, ok := claims.AuthInfoFrom(ctx)
-		if ok && claims.IsIdentityType(info.GetIdentityType(), claims.TypeAccessPolicy) {
-			// For access policy identities, we need to use ResourceAuthorizer
-			// This requires an AccessClient, which should be provided by the API server
-			// For now, we'll use the default ResourceAuthorizer from the API server
-			// This will be set up by the API server's authorization chain
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// For regular Grafana users, check if they are admin
-		u, err := identity.GetRequester(ctx)
-		if err != nil {
-			return authorizer.DecisionDeny, "valid user is required", err
-		}
-
-		// check if is admin
-		if u.HasRole(identity.RoleAdmin) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		return authorizer.DecisionDeny, "forbidden", nil
-	})
-}

apps/advisor/pkg/app/authorizer_test.go

@@ -1,91 +0,0 @@
-package app
-
-import (
-	"context"
-	"testing"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/stretchr/testify/assert"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func TestGetAuthorizer(t *testing.T) {
-	tests := []struct {
-		name             string
-		ctx              context.Context
-		attr             authorizer.Attributes
-		expectedDecision authorizer.Decision
-		expectedReason   string
-		expectedErr      error
-	}{
-		{
-			name:             "non-resource request",
-			ctx:              context.TODO(),
-			attr:             &mockAttributes{resourceRequest: false},
-			expectedDecision: authorizer.DecisionNoOpinion,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionAllow,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is not admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionDeny,
-			expectedReason:   "forbidden",
-			expectedErr:      nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			auth := GetAuthorizer()
-			decision, reason, err := auth.Authorize(tt.ctx, tt.attr)
-			assert.Equal(t, tt.expectedDecision, decision)
-			assert.Equal(t, tt.expectedReason, reason)
-			assert.Equal(t, tt.expectedErr, err)
-		})
-	}
-}
-
-type mockAttributes struct {
-	authorizer.Attributes
-	resourceRequest bool
-}
-
-func (m *mockAttributes) IsResourceRequest() bool {
-	return m.resourceRequest
-}
-
-// Implement other methods of authorizer.Attributes as needed
-
-type mockUser struct {
-	identity.Requester
-	isGrafanaAdmin bool
-}
-
-func (m *mockUser) GetIsGrafanaAdmin() bool {
-	return m.isGrafanaAdmin
-}
-
-func (m *mockUser) HasRole(role identity.RoleType) bool {
-	return role == identity.RoleAdmin && m.isGrafanaAdmin
-}
-
-func (m *mockUser) GetUID() string {
-	return "test-uid"
-}
-
-func (m *mockUser) GetIdentityType() claims.IdentityType {
-	return claims.TypeUser
-}
-
-// Implement other methods of identity.Requester as needed

apps/alerting/historian/go.mod

@@ -4,7 +4,7 @@ go 1.25.5
 
 require (
 	github.com/go-kit/log v0.2.1
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4
 	github.com/grafana/grafana-app-sdk v0.48.5
 	github.com/grafana/grafana-app-sdk/logging v0.48.3

apps/alerting/historian/go.sum

@@ -216,12 +216,10 @@ github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=
-github.com/grafana/grafana-app-sdk v0.48.5/go.mod h1:HJsMOSBmt/D/Ihs1SvagOwmXKi0coBMVHlfvdd+qe9Y=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 h1:jSojuc7njleS3UOz223WDlXOinmuLAIPI0z2vtq8EgI=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4/go.mod h1:VahT+GtfQIM+o8ht2StR6J9g+Ef+C2Vokh5uuSmOD/4=
 github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=

apps/dashboard/go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/grafana/grafana-app-sdk/logging v0.48.3
 	github.com/grafana/grafana-plugin-sdk-go v0.284.0
 	github.com/grafana/grafana/pkg/apimachinery v0.0.0-20250514132646-acbc7b54ed9e
+	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
@@ -57,7 +58,6 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.7.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect

apps/dashboard/pkg/migration/conversion/testdata/input/v1beta1.value-mapping-and-overrides.json

@@ -0,0 +1,603 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v1beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    },
+    "annotations": {},
+    "managedFields": []
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "to": 50,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "to": 80,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "to": 100,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  }
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "mode": "fixed",
+                    "fixedColor": "blue"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  },
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "to": 100,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "reducer": "allIsNull",
+                  "op": "gte",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v0alpha1"
+    }
+  },
+  "access": {
+    "slug": "value-mapping-test",
+    "url": "/d/value-mapping-test/value-mapping-and-overrides-test",
+    "canSave": true,
+    "canEdit": true,
+    "canAdmin": true,
+    "canStar": true,
+    "canDelete": true,
+    "annotationsPermissions": {
+      "dashboard": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      },
+      "organization": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      }
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2alpha1.json

@@ -530,7 +530,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2beta1.json

@@ -546,7 +546,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2alpha1.json

@@ -548,7 +548,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2beta1.json

@@ -574,7 +574,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2alpha1.json

@@ -1663,7 +1663,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2beta1.json

@@ -1727,7 +1727,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2alpha1.json

@@ -328,7 +328,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2beta1.json

@@ -335,7 +335,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v0alpha1.json

@@ -0,0 +1,580 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v0alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  },
+                  "to": 50
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  },
+                  "to": 80
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "fixedColor": "blue",
+                    "mode": "fixed"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  },
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "op": "gte",
+                  "reducer": "allIsNull",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2alpha1.json

@@ -0,0 +1,783 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "query": {
+            "kind": "grafana",
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "gauge",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "table",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2beta1.json

@@ -0,0 +1,795 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "query": {
+            "kind": "DataQuery",
+            "group": "grafana",
+            "version": "v0",
+            "datasource": {
+              "name": "-- Grafana --"
+            },
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "gauge",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "table",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/v1beta1_to_v2alpha1.go

@@ -501,11 +501,9 @@ func convertToRowsLayout(ctx context.Context, panels []interface{}, dsIndexProvi
 
 			if currentRow != nil {
 				// If currentRow is a hidden-header row (panels before first explicit row),
-				// set its collapse to match the first explicit row's collapsed value
-				// This matches frontend behavior: collapse: panel.collapsed
+				// it should not be collapsed because it will disappear and be visible only in edit mode
 				if currentRow.Spec.HideHeader != nil && *currentRow.Spec.HideHeader {
-					rowCollapsed := getBoolField(panelMap, "collapsed", false)
-					currentRow.Spec.Collapse = &rowCollapsed
+					currentRow.Spec.Collapse = &[]bool{false}[0]
 				}
 				// Flush current row to layout
 				rows = append(rows, *currentRow)
@@ -2022,6 +2020,9 @@ func transformPanelQueries(ctx context.Context, panelMap map[string]interface{},
 
 func transformSingleQuery(ctx context.Context, targetMap map[string]interface{}, panelDatasource *dashv2alpha1.DashboardDataSourceRef, dsIndexProvider schemaversion.DataSourceIndexProvider) dashv2alpha1.DashboardPanelQueryKind {
 	refId := schemaversion.GetStringValue(targetMap, "refId", "A")
+	if refId == "" {
+		refId = "A"
+	}
 	hidden := getBoolField(targetMap, "hide", false)
 
 	// Extract datasource from query or use panel datasource
@@ -2518,22 +2519,15 @@ func buildRegexMap(mappingMap map[string]interface{}) *dashv2alpha1.DashboardReg
 	regexMap := &dashv2alpha1.DashboardRegexMap{}
 	regexMap.Type = dashv2alpha1.DashboardMappingTypeRegex
 
-	opts, ok := mappingMap["options"].([]interface{})
-	if !ok || len(opts) == 0 {
-		return nil
-	}
-
-	optMap, ok := opts[0].(map[string]interface{})
+	optMap, ok := mappingMap["options"].(map[string]interface{})
 	if !ok {
 		return nil
 	}
 
 	r := dashv2alpha1.DashboardV2alpha1RegexMapOptions{}
-	if pattern, ok := optMap["regex"].(string); ok {
+	if pattern, ok := optMap["pattern"].(string); ok {
 		r.Pattern = pattern
 	}
-
-	// Result is a DashboardValueMappingResult
 	if resMap, ok := optMap["result"].(map[string]interface{}); ok {
 		r.Result = buildValueMappingResult(resMap)
 	}

apps/dashboard/pkg/migration/schemaversion/cache.go

@@ -5,12 +5,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/hashicorp/golang-lru/v2/expirable"
-	k8srequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/endpoints/request"
 
-	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
+	"github.com/grafana/authlib/types"
+	"github.com/grafana/grafana-app-sdk/logging"
 )
 
 const defaultCacheSize = 1000
@@ -32,17 +31,15 @@ type cachedProvider[T any] struct {
 	fetch    func(context.Context) T
 	cache    *expirable.LRU[string, T] // LRU cache: namespace to cache entry
 	inFlight sync.Map                  // map[string]*sync.Mutex - per-namespace fetch locks
-	logger   log.Logger
 }
 
 // newCachedProvider creates a new cachedProvider.
 // The fetch function should be able to handle context with different namespaces.
 // A non-positive size turns LRU mechanism off (cache of unlimited size).
 // A non-positive cacheTTL disables TTL expiration.
-func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration, logger log.Logger) *cachedProvider[T] {
+func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration) *cachedProvider[T] {
 	cacheProvider := &cachedProvider[T]{
-		fetch:  fetch,
-		logger: logger,
+		fetch: fetch,
 	}
 	cacheProvider.cache = expirable.NewLRU(size, func(key string, value T) {
 		cacheProvider.inFlight.Delete(key)
@@ -53,14 +50,13 @@ func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL
 // Get returns the cached value if it's still valid, otherwise calls fetch and caches the result.
 func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	// Get namespace info from ctx
-	nsInfo, err := request.NamespaceInfoFrom(ctx, true)
-	if err != nil {
+	namespace, ok := request.NamespaceFrom(ctx)
+	if !ok {
 		// No namespace, fall back to direct fetch call without caching
-		p.logger.Warn("Unable to get namespace info from context, skipping cache", "error", err)
+		logging.FromContext(ctx).Warn("Unable to get namespace info from context, skipping cache")
 		return p.fetch(ctx)
 	}
 
-	namespace := nsInfo.Value
 	// Fast path: check if cache is still valid
 	if entry, ok := p.cache.Get(namespace); ok {
 		return entry
@@ -81,7 +77,7 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	}
 
 	// Fetch outside the main lock - only this namespace is blocked
-	p.logger.Debug("cache miss or expired, fetching new value", "namespace", namespace)
+	logging.FromContext(ctx).Debug("cache miss or expired, fetching new value", "namespace", namespace)
 	value := p.fetch(ctx)
 
 	// Update the cache for this namespace
@@ -93,12 +89,12 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 // Preload loads data into the cache for the given namespaces.
 func (p *cachedProvider[T]) Preload(ctx context.Context, nsInfos []types.NamespaceInfo) {
 	// Build the cache using a context with the namespace
-	p.logger.Info("preloading cache", "nsInfos", len(nsInfos))
+	logging.FromContext(ctx).Info("preloading cache", "nsInfos", len(nsInfos))
 	startedAt := time.Now()
 	defer func() {
-		p.logger.Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
+		logging.FromContext(ctx).Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
 	}()
 	for _, nsInfo := range nsInfos {
-		p.cache.Add(nsInfo.Value, p.fetch(k8srequest.WithNamespace(ctx, nsInfo.Value)))
+		p.cache.Add(nsInfo.Value, p.fetch(request.WithNamespace(ctx, nsInfo.Value)))
 	}
 }

apps/dashboard/pkg/migration/schemaversion/cache_test.go

@@ -8,11 +8,11 @@ import (
 	"testing"
 	"time"
 
-	authlib "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apiserver/pkg/endpoints/request"
+
+	authlib "github.com/grafana/authlib/types"
 )
 
 // testProvider tracks how many times get() is called
@@ -44,7 +44,7 @@ func TestCachedProvider_CacheHit(t *testing.T) {
 
 	underlying := newTestProvider(datasources)
 	// Test newCachedProvider directly instead of the wrapper
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1) - this is the standard Grafana namespace format
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -69,7 +69,7 @@ func TestCachedProvider_NamespaceIsolation(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" (org 1) and "org-2" (org 2) - standard Grafana namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -102,7 +102,7 @@ func TestCachedProvider_NoNamespaceFallback(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Context without namespace - should fall back to direct provider call
 	ctx := context.Background()
@@ -123,7 +123,7 @@ func TestCachedProvider_ConcurrentAccess(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1)
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -155,7 +155,7 @@ func TestCachedProvider_ConcurrentNamespaces(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	var wg sync.WaitGroup
 	numOrgs := 10
@@ -198,7 +198,7 @@ func TestCachedProvider_CorrectDataPerNamespace(t *testing.T) {
 			"org-2":   {{UID: "org2-ds", Type: "loki", Name: "Org2 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Use valid namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -228,7 +228,7 @@ func TestCachedProvider_PreloadMultipleNamespaces(t *testing.T) {
 			"org-3":   {{UID: "org3-ds", Type: "tempo", Name: "Org3 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Preload multiple namespaces
 	nsInfos := []authlib.NamespaceInfo{
@@ -346,7 +346,7 @@ func TestCachedProvider_TTLExpiration(t *testing.T) {
 	underlying := newTestProvider(datasources)
 	// Use a very short TTL for testing
 	shortTTL := 50 * time.Millisecond
-	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL)
 
 	ctx := request.WithNamespace(context.Background(), "default")
 
@@ -379,7 +379,7 @@ func TestCachedProvider_ParallelNamespacesFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numNamespaces := 5
 	var wg sync.WaitGroup
@@ -421,7 +421,7 @@ func TestCachedProvider_SameNamespaceSerialFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numGoroutines := 10
 	var wg sync.WaitGroup

apps/dashboard/pkg/migration/schemaversion/datasource_utils.go

@@ -3,8 +3,6 @@ package schemaversion
 import (
 	"context"
 	"time"
-
-	"github.com/grafana/grafana/pkg/infra/log"
 )
 
 // Shared utility functions for datasource migrations across different schema versions.
@@ -36,7 +34,7 @@ func WrapIndexProviderWithCache(provider DataSourceIndexProvider, cacheTTL time.
 		return provider
 	}
 	return &cachedIndexProvider{
-		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL, log.New("schemaversion.dsindexprovider")),
+		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL),
 	}
 }
 
@@ -46,7 +44,7 @@ func WrapLibraryElementProviderWithCache(provider LibraryElementIndexProvider, c
 		return provider
 	}
 	return &cachedLibraryElementProvider{
-		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL, log.New("schemaversion.leindexprovider")),
+		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL),
 	}
 }
 

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_new.v42.json

@@ -75,9 +75,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -154,9 +154,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -233,9 +233,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -312,9 +312,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -391,9 +391,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -470,9 +470,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -549,9 +549,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -641,9 +641,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -720,9 +720,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -799,9 +799,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -878,9 +878,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -974,9 +974,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1053,9 +1053,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1132,9 +1132,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1211,9 +1211,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1290,9 +1290,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1386,9 +1386,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1469,9 +1469,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1552,9 +1552,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1603,7 +1603,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1644,9 +1643,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1671,7 +1670,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 98,
           "min": 5,
           "noise": 22,
@@ -1689,7 +1687,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1730,9 +1727,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1757,7 +1754,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 98,
           "min": 5,
           "noise": 22,
@@ -1788,7 +1784,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1830,9 +1825,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1857,7 +1852,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 8,
           "min": 1,
           "noise": 2,
@@ -1875,7 +1869,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1917,9 +1910,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1944,7 +1937,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 12,
           "min": 1,
           "noise": 2,
@@ -1962,7 +1954,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -2003,9 +1994,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2030,7 +2021,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 100,
           "min": 10,
           "noise": 22,
@@ -2048,7 +2038,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -2089,9 +2078,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2116,7 +2105,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 100,
           "min": 10,
           "noise": 22,
@@ -2129,6 +2117,151 @@
       ],
       "title": "Backend",
       "type": "radialbar"
+    },
+    {
+      "collapsed": false,
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 66
+      },
+      "id": 35,
+      "panels": [],
+      "title": "Empty data",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "grafana-testdata-datasource"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 0,
+        "y": 67
+      },
+      "id": 36,
+      "options": {
+        "barWidthFactor": 0.5,
+        "effects": {
+          "barGlow": false,
+          "centerGlow": false,
+          "gradient": true,
+          "rounded": false,
+          "spotlight": false
+        },
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "segmentCount": 1,
+        "segmentSpacing": 0.3,
+        "shape": "gauge",
+        "showThresholdLabels": false,
+        "showThresholdMarkers": true,
+        "sparkline": true
+      },
+      "pluginVersion": "13.0.0-pre",
+      "targets": [
+        {
+          "refId": "A",
+          "scenarioId": "random_walk",
+          "seriesCount": 0
+        }
+      ],
+      "title": "Numeric, no series",
+      "type": "gauge"
+    },
+    {
+      "datasource": {
+        "type": "grafana-testdata-datasource"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 6,
+        "y": 67
+      },
+      "id": 37,
+      "options": {
+        "barWidthFactor": 0.5,
+        "effects": {
+          "barGlow": false,
+          "centerGlow": false,
+          "gradient": true,
+          "rounded": false,
+          "spotlight": false
+        },
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "segmentCount": 1,
+        "segmentSpacing": 0.3,
+        "shape": "gauge",
+        "showThresholdLabels": false,
+        "showThresholdMarkers": true,
+        "sparkline": true
+      },
+      "pluginVersion": "13.0.0-pre",
+      "targets": [
+        {
+          "refId": "A",
+          "scenarioId": "logs"
+        }
+      ],
+      "title": "Non-numeric",
+      "type": "gauge"
     }
   ],
   "preload": false,
@@ -2146,4 +2279,4 @@
   "title": "Panel tests - Gauge (new)",
   "uid": "panel-tests-gauge-new",
   "weekStart": ""
-}
+}

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_old_to_new.v42.json

@@ -955,9 +955,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1162,4 +1162,4 @@
   "title": "Panel tests - Old gauge to new",
   "uid": "panel-tests-old-gauge-to-new",
   "weekStart": ""
-}
+}

apps/folder/kinds/folder.cue

@@ -8,12 +8,6 @@ foldersV1beta1: {
 		spec: {
 			title:    string
 			description?: string
-			foo: bool
-			bar: int
 		}
 	}
-
-	selectableFields: [
-		"spec.title",
-	]
-}
+}

apps/folder/pkg/apis/folder/v1beta1/folder_schema_gen.go

@@ -5,26 +5,13 @@
 package v1beta1
 
 import (
-	"errors"
-
 	"github.com/grafana/grafana-app-sdk/resource"
 )
 
 // schema is unexported to prevent accidental overwrites
 var (
 	schemaFolder = resource.NewSimpleSchema("folder.grafana.app", "v1beta1", NewFolder(), &FolderList{}, resource.WithKind("Folder"),
-		resource.WithPlural("folders"), resource.WithScope(resource.NamespacedScope), resource.WithSelectableFields([]resource.SelectableField{resource.SelectableField{
-			FieldSelector: "spec.title",
-			FieldValueFunc: func(o resource.Object) (string, error) {
-				cast, ok := o.(*Folder)
-				if !ok {
-					return "", errors.New("provided object must be of type *Folder")
-				}
-
-				return cast.Spec.Title, nil
-			},
-		},
-		}))
+		resource.WithPlural("folders"), resource.WithScope(resource.NamespacedScope))
 	kindFolder = resource.Kind{
 		Schema: schemaFolder,
 		Codecs: map[resource.KindEncoding]resource.Codec{

apps/folder/pkg/apis/manifestdata/folder_manifest.go

@@ -18,8 +18,6 @@ import (
 	v1beta1 "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
 )
 
-var ()
-
 var appManifestData = app.ManifestData{
 	AppName:          "folder",
 	Group:            "folder.grafana.app",
@@ -34,9 +32,6 @@ var appManifestData = app.ManifestData{
 					Plural:     "Folders",
 					Scope:      "Namespaced",
 					Conversion: false,
-					SelectableFields: []string{
-						"spec.title",
-					},
 				},
 			},
 			Routes: app.ManifestVersionRoutes{

apps/iam/go.mod

@@ -221,7 +221,7 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/iam/go.sum

@@ -377,10 +377,10 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/centrifugal/centrifuge v0.37.2 h1:rerQNvDfYN2FZEkVtb/hvGV7SIrJfEQrKF3MaE8GDlo=
-github.com/centrifugal/centrifuge v0.37.2/go.mod h1:aj4iRJGhzi3SlL8iUtVezxway1Xf8g+hmNQkLLO7sS8=
-github.com/centrifugal/protocol v0.16.2 h1:KoIHgDeX1fFxyxQoKW+6E8ZTCf5mwGm8JyGoJ5NBMbQ=
-github.com/centrifugal/protocol v0.16.2/go.mod h1:Q7OpS/8HMXDnL7f9DpNx24IhG96MP88WPpVTTCdrokI=
+github.com/centrifugal/centrifuge v0.38.0 h1:UJTowwc5lSwnpvd3vbrTseODbU7osSggN67RTrJ8EfQ=
+github.com/centrifugal/centrifuge v0.38.0/go.mod h1:rcZLARnO5GXOeE9qG7iIPMvERxESespqkSX4cGLCAzo=
+github.com/centrifugal/protocol v0.17.0 h1:hD0WczyiG7zrVJcgkQsd5/nhfFXt0Y04SJHV2Z7B1rg=
+github.com/centrifugal/protocol v0.17.0/go.mod h1:9MdiYyjw5Bw1+d5Sp4Y0NK+qiuTNyd88nrHJsUUh8k4=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -817,8 +817,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=
@@ -1376,11 +1376,13 @@ github.com/puzpuzpuz/xsync/v2 v2.5.1 h1:mVGYAvzDSu52+zaGyNjC+24Xw2bQi3kTr4QJ6N9p
 github.com/puzpuzpuz/xsync/v2 v2.5.1/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU=
 github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
 github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/quagmt/udecimal v1.9.0 h1:TLuZiFeg0HhS6X8VDa78Y6XTaitZZfh+z5q4SXMzpDQ=
+github.com/quagmt/udecimal v1.9.0/go.mod h1:ScmJ/xTGZcEoYiyMMzgDLn79PEJHcMBiJ4NNRT3FirA=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/redis/go-redis/v9 v9.14.0 h1:u4tNCjXOyzfgeLN+vAZaW1xUooqWDqVEsZN0U01jfAE=
 github.com/redis/go-redis/v9 v9.14.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
-github.com/redis/rueidis v1.0.64 h1:XqgbueDuNV3qFdVdQwAHJl1uNt90zUuAJuzqjH4cw6Y=
-github.com/redis/rueidis v1.0.64/go.mod h1:Lkhr2QTgcoYBhxARU7kJRO8SyVlgUuEkcJO1Y8MCluA=
+github.com/redis/rueidis v1.0.68 h1:gept0E45JGxVigWb3zoWHvxEc4IOC7kc4V/4XvN8eG8=
+github.com/redis/rueidis v1.0.68/go.mod h1:Lkhr2QTgcoYBhxARU7kJRO8SyVlgUuEkcJO1Y8MCluA=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=

apps/iam/kinds/manifest.cue

@@ -22,13 +22,40 @@ v0alpha1: {
 		serviceaccountv0alpha1,
 		externalGroupMappingv0alpha1
 	]
+
 	routes: {
 		namespaced: {
+			"/searchUsers": {
+				"GET": {
+					request: {
+						query: {
+							query?: string
+							limit?:  int64 | 10
+							offset?: int64 | 0
+							page?:   int64 | 1
+						}
+					}
+					response: {
+						offset: int64
+						totalHits: int64
+						hits: [...#UserHit]
+						queryCost: float64
+						maxScore: float64
+					}
+					responseMetadata: {
+						typeMeta: false
+						objectMeta: false
+					}
+				}
+			}
 			"/searchTeams": {
 				"GET": {
 					request: {
 						query: { 
 							query?: string
+							limit?:  int64 | 50
+							offset?: int64 | 0
+							page?:   int64 | 1
 						}
 					}
 					response: {
@@ -51,3 +78,15 @@ v0alpha1: {
 		}
 	}
 }
+
+#UserHit: {
+	name: string
+	title: string
+	login: string
+	email: string
+	role: string
+	lastSeenAt: int64
+	lastSeenAtAge: string
+	provisioned: bool
+	score: float64
+}

apps/iam/kinds/user.cue

@@ -14,7 +14,7 @@ userKind: {
 }
 
 userv0alpha1: userKind & {
-	// TODO: Uncomment this when User will be added to ManagedKinds
+	// TODO: Uncomment this when User will be added to ManagedKinds 
 	// validation: {
 	// 	operations: [
 	// 		"CREATE",
@@ -29,6 +29,9 @@ userv0alpha1: userKind & {
 	// }
 	schema: {
 		spec: v0alpha1.UserSpec
+		status: {
+			lastSeenAt: int64 | 0
+		}
 	}
 	// TODO: Uncomment when the custom routes implementation is done
 	// routes: {

apps/iam/pkg/apis/iam/v0alpha1/getsearchteams_request_params_types_gen.go

@@ -3,7 +3,10 @@
 package v0alpha1
 
 type GetSearchTeamsRequestParams struct {
-	Query *string `json:"query,omitempty"`
+	Query  *string `json:"query,omitempty"`
+	Limit  int64   `json:"limit,omitempty"`
+	Offset int64   `json:"offset,omitempty"`
+	Page   int64   `json:"page,omitempty"`
 }
 
 // NewGetSearchTeamsRequestParams creates a new GetSearchTeamsRequestParams object.

apps/iam/pkg/apis/iam/v0alpha1/getsearchusers_request_params_object_gen.go

@@ -0,0 +1,33 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+type GetSearchUsersRequestParamsObject struct {
+	metav1.TypeMeta             `json:",inline"`
+	GetSearchUsersRequestParams `json:",inline"`
+}
+
+func NewGetSearchUsersRequestParamsObject() *GetSearchUsersRequestParamsObject {
+	return &GetSearchUsersRequestParamsObject{}
+}
+
+func (o *GetSearchUsersRequestParamsObject) DeepCopyObject() runtime.Object {
+	dst := NewGetSearchUsersRequestParamsObject()
+	o.DeepCopyInto(dst)
+	return dst
+}
+
+func (o *GetSearchUsersRequestParamsObject) DeepCopyInto(dst *GetSearchUsersRequestParamsObject) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	dstGetSearchUsersRequestParams := GetSearchUsersRequestParams{}
+	_ = resource.CopyObjectInto(&dstGetSearchUsersRequestParams, &o.GetSearchUsersRequestParams)
+}
+
+var _ runtime.Object = NewGetSearchUsersRequestParamsObject()

apps/iam/pkg/apis/iam/v0alpha1/getsearchusers_request_params_types_gen.go

@@ -0,0 +1,15 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+type GetSearchUsersRequestParams struct {
+	Query  *string `json:"query,omitempty"`
+	Limit  int64   `json:"limit,omitempty"`
+	Offset int64   `json:"offset,omitempty"`
+	Page   int64   `json:"page,omitempty"`
+}
+
+// NewGetSearchUsersRequestParams creates a new GetSearchUsersRequestParams object.
+func NewGetSearchUsersRequestParams() *GetSearchUsersRequestParams {
+	return &GetSearchUsersRequestParams{}
+}

apps/iam/pkg/apis/iam/v0alpha1/getsearchusers_response_types_gen.go

@@ -0,0 +1,37 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type UserHit struct {
+	Name          string  `json:"name"`
+	Title         string  `json:"title"`
+	Login         string  `json:"login"`
+	Email         string  `json:"email"`
+	Role          string  `json:"role"`
+	LastSeenAt    int64   `json:"lastSeenAt"`
+	LastSeenAtAge string  `json:"lastSeenAtAge"`
+	Provisioned   bool    `json:"provisioned"`
+	Score         float64 `json:"score"`
+}
+
+// NewUserHit creates a new UserHit object.
+func NewUserHit() *UserHit {
+	return &UserHit{}
+}
+
+// +k8s:openapi-gen=true
+type GetSearchUsers struct {
+	Offset    int64     `json:"offset"`
+	TotalHits int64     `json:"totalHits"`
+	Hits      []UserHit `json:"hits"`
+	QueryCost float64   `json:"queryCost"`
+	MaxScore  float64   `json:"maxScore"`
+}
+
+// NewGetSearchUsers creates a new GetSearchUsers object.
+func NewGetSearchUsers() *GetSearchUsers {
+	return &GetSearchUsers{
+		Hits: []UserHit{},
+	}
+}

apps/iam/pkg/apis/iam/v0alpha1/user_client_gen.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 type UserClient struct {
@@ -75,6 +76,24 @@ func (c *UserClient) Patch(ctx context.Context, identifier resource.Identifier,
 	return c.client.Patch(ctx, identifier, req, opts)
 }
 
+func (c *UserClient) UpdateStatus(ctx context.Context, identifier resource.Identifier, newStatus UserStatus, opts resource.UpdateOptions) (*User, error) {
+	return c.client.Update(ctx, &User{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       UserKind().Kind(),
+			APIVersion: GroupVersion.Identifier(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			ResourceVersion: opts.ResourceVersion,
+			Namespace:       identifier.Namespace,
+			Name:            identifier.Name,
+		},
+		Status: newStatus,
+	}, resource.UpdateOptions{
+		Subresource:     "status",
+		ResourceVersion: opts.ResourceVersion,
+	})
+}
+
 func (c *UserClient) Delete(ctx context.Context, identifier resource.Identifier, opts resource.DeleteOptions) error {
 	return c.client.Delete(ctx, identifier, opts)
 }

apps/iam/pkg/apis/iam/v0alpha1/user_object_gen.go

@@ -21,11 +21,14 @@ type User struct {
 
 	// Spec is the spec of the User
 	Spec UserSpec `json:"spec" yaml:"spec"`
+
+	Status UserStatus `json:"status" yaml:"status"`
 }
 
 func NewUser() *User {
 	return &User{
-		Spec: *NewUserSpec(),
+		Spec:   *NewUserSpec(),
+		Status: *NewUserStatus(),
 	}
 }
 
@@ -43,11 +46,15 @@ func (o *User) SetSpec(spec any) error {
 }
 
 func (o *User) GetSubresources() map[string]any {
-	return map[string]any{}
+	return map[string]any{
+		"status": o.Status,
+	}
 }
 
 func (o *User) GetSubresource(name string) (any, bool) {
 	switch name {
+	case "status":
+		return o.Status, true
 	default:
 		return nil, false
 	}
@@ -55,6 +62,13 @@ func (o *User) GetSubresource(name string) (any, bool) {
 
 func (o *User) SetSubresource(name string, value any) error {
 	switch name {
+	case "status":
+		cast, ok := value.(UserStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type UserStatus", value)
+		}
+		o.Status = cast
+		return nil
 	default:
 		return fmt.Errorf("subresource '%s' does not exist", name)
 	}
@@ -226,6 +240,7 @@ func (o *User) DeepCopyInto(dst *User) {
 	dst.TypeMeta.Kind = o.TypeMeta.Kind
 	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
 	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
 }
 
 // Interface compliance compile-time check
@@ -297,3 +312,15 @@ func (s *UserSpec) DeepCopy() *UserSpec {
 func (s *UserSpec) DeepCopyInto(dst *UserSpec) {
 	resource.CopyObjectInto(dst, s)
 }
+
+// DeepCopy creates a full deep copy of UserStatus
+func (s *UserStatus) DeepCopy() *UserStatus {
+	cpy := &UserStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies UserStatus into another UserStatus object
+func (s *UserStatus) DeepCopyInto(dst *UserStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/user_status_gen.go

@@ -2,43 +2,12 @@
 
 package v0alpha1
 
-// +k8s:openapi-gen=true
-type UserstatusOperatorState struct {
-	// lastEvaluation is the ResourceVersion last evaluated
-	LastEvaluation string `json:"lastEvaluation"`
-	// state describes the state of the lastEvaluation.
-	// It is limited to three possible states for machine evaluation.
-	State UserStatusOperatorStateState `json:"state"`
-	// descriptiveState is an optional more descriptive state field which has no requirements on format
-	DescriptiveState *string `json:"descriptiveState,omitempty"`
-	// details contains any extra information that is operator-specific
-	Details map[string]interface{} `json:"details,omitempty"`
-}
-
-// NewUserstatusOperatorState creates a new UserstatusOperatorState object.
-func NewUserstatusOperatorState() *UserstatusOperatorState {
-	return &UserstatusOperatorState{}
-}
-
 // +k8s:openapi-gen=true
 type UserStatus struct {
-	// operatorStates is a map of operator ID to operator state evaluations.
-	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
-	OperatorStates map[string]UserstatusOperatorState `json:"operatorStates,omitempty"`
-	// additionalFields is reserved for future use
-	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+	LastSeenAt int64 `json:"lastSeenAt"`
 }
 
 // NewUserStatus creates a new UserStatus object.
 func NewUserStatus() *UserStatus {
 	return &UserStatus{}
 }
-
-// +k8s:openapi-gen=true
-type UserStatusOperatorStateState string
-
-const (
-	UserStatusOperatorStateStateSuccess    UserStatusOperatorStateState = "success"
-	UserStatusOperatorStateStateInProgress UserStatusOperatorStateState = "in_progress"
-	UserStatusOperatorStateStateFailed     UserStatusOperatorStateState = "failed"
-)

apps/iam/pkg/apis/iam/v0alpha1/zz_openapi_gen.go

@@ -21,6 +21,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GetGroupsBody":                                                     schema_pkg_apis_iam_v0alpha1_GetGroupsBody(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GetSearchTeams":                                                    schema_pkg_apis_iam_v0alpha1_GetSearchTeams(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GetSearchTeamsBody":                                                schema_pkg_apis_iam_v0alpha1_GetSearchTeamsBody(ref),
+		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GetSearchUsers":                                                    schema_pkg_apis_iam_v0alpha1_GetSearchUsers(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GlobalRole":                                                        schema_pkg_apis_iam_v0alpha1_GlobalRole(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GlobalRoleBinding":                                                 schema_pkg_apis_iam_v0alpha1_GlobalRoleBinding(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.GlobalRoleBindingList":                                             schema_pkg_apis_iam_v0alpha1_GlobalRoleBindingList(ref),
@@ -72,10 +73,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.TeamStatus":                                                        schema_pkg_apis_iam_v0alpha1_TeamStatus(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.TeamstatusOperatorState":                                           schema_pkg_apis_iam_v0alpha1_TeamstatusOperatorState(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.User":                                                              schema_pkg_apis_iam_v0alpha1_User(ref),
+		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserHit":                                                           schema_pkg_apis_iam_v0alpha1_UserHit(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserList":                                                          schema_pkg_apis_iam_v0alpha1_UserList(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserSpec":                                                          schema_pkg_apis_iam_v0alpha1_UserSpec(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserStatus":                                                        schema_pkg_apis_iam_v0alpha1_UserStatus(ref),
-		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserstatusOperatorState":                                           schema_pkg_apis_iam_v0alpha1_UserstatusOperatorState(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.VersionsV0alpha1Kinds7RoutesGroupsGETResponseExternalGroupMapping": schema_pkg_apis_iam_v0alpha1_VersionsV0alpha1Kinds7RoutesGroupsGETResponseExternalGroupMapping(ref),
 		"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.VersionsV0alpha1RoutesNamespacedSearchTeamsGETResponseTeamHit":     schema_pkg_apis_iam_v0alpha1_VersionsV0alpha1RoutesNamespacedSearchTeamsGETResponseTeamHit(ref),
 	}
@@ -688,6 +689,62 @@ func schema_pkg_apis_iam_v0alpha1_GetSearchTeamsBody(ref common.ReferenceCallbac
 	}
 }
 
+func schema_pkg_apis_iam_v0alpha1_GetSearchUsers(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"offset": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"totalHits": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"hits": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserHit"),
+									},
+								},
+							},
+						},
+					},
+					"queryCost": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"number"},
+							Format:  "double",
+						},
+					},
+					"maxScore": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"number"},
+							Format:  "double",
+						},
+					},
+				},
+				Required: []string{"offset", "totalHits", "hits", "queryCost", "maxScore"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserHit"},
+	}
+}
+
 func schema_pkg_apis_iam_v0alpha1_GlobalRole(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -2833,12 +2890,94 @@ func schema_pkg_apis_iam_v0alpha1_User(ref common.ReferenceCallback) common.Open
 							Ref:         ref("github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserSpec"),
 						},
 					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserStatus"),
+						},
+					},
 				},
-				Required: []string{"metadata", "spec"},
+				Required: []string{"metadata", "spec", "status"},
 			},
 		},
 		Dependencies: []string{
-			"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserSpec", "github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_pkg_apis_iam_v0alpha1_UserHit(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"title": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"login": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"email": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"role": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"lastSeenAt": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"lastSeenAtAge": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"provisioned": {
+						SchemaProps: spec.SchemaProps{
+							Default: false,
+							Type:    []string{"boolean"},
+							Format:  "",
+						},
+					},
+					"score": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"number"},
+							Format:  "double",
+						},
+					},
+				},
+				Required: []string{"name", "title", "login", "email", "role", "lastSeenAt", "lastSeenAtAge", "provisioned", "score"},
+			},
+		},
 	}
 }
 
@@ -2965,90 +3104,15 @@ func schema_pkg_apis_iam_v0alpha1_UserStatus(ref common.ReferenceCallback) commo
 			SchemaProps: spec.SchemaProps{
 				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
-					"operatorStates": {
+					"lastSeenAt": {
 						SchemaProps: spec.SchemaProps{
-							Description: "operatorStates is a map of operator ID to operator state evaluations. Any operator which consumes this kind SHOULD add its state evaluation information to this field.",
-							Type:        []string{"object"},
-							AdditionalProperties: &spec.SchemaOrBool{
-								Allows: true,
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Default: map[string]interface{}{},
-										Ref:     ref("github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserstatusOperatorState"),
-									},
-								},
-							},
-						},
-					},
-					"additionalFields": {
-						SchemaProps: spec.SchemaProps{
-							Description: "additionalFields is reserved for future use",
-							Type:        []string{"object"},
-							AdditionalProperties: &spec.SchemaOrBool{
-								Allows: true,
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Type:   []string{"object"},
-										Format: "",
-									},
-								},
-							},
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
 						},
 					},
 				},
-			},
-		},
-		Dependencies: []string{
-			"github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1.UserstatusOperatorState"},
-	}
-}
-
-func schema_pkg_apis_iam_v0alpha1_UserstatusOperatorState(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Type: []string{"object"},
-				Properties: map[string]spec.Schema{
-					"lastEvaluation": {
-						SchemaProps: spec.SchemaProps{
-							Description: "lastEvaluation is the ResourceVersion last evaluated",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"state": {
-						SchemaProps: spec.SchemaProps{
-							Description: "state describes the state of the lastEvaluation. It is limited to three possible states for machine evaluation.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"descriptiveState": {
-						SchemaProps: spec.SchemaProps{
-							Description: "descriptiveState is an optional more descriptive state field which has no requirements on format",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"details": {
-						SchemaProps: spec.SchemaProps{
-							Description: "details contains any extra information that is operator-specific",
-							Type:        []string{"object"},
-							AdditionalProperties: &spec.SchemaOrBool{
-								Allows: true,
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Type:   []string{"object"},
-										Format: "",
-									},
-								},
-							},
-						},
-					},
-				},
-				Required: []string{"lastEvaluation", "state"},
+				Required: []string{"lastSeenAt"},
 			},
 		},
 	}

apps/iam/pkg/apis/iam_manifest.go

@@ -74,10 +74,6 @@ var appManifestData = app.ManifestData{
 					Plural:     "Users",
 					Scope:      "Namespaced",
 					Conversion: false,
-					SelectableFields: []string{
-						"spec.email",
-						"spec.login",
-					},
 				},
 
 				{
@@ -177,6 +173,36 @@ var appManifestData = app.ManifestData{
 
 								Parameters: []*spec3.Parameter{
 
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "limit",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "offset",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "page",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
 									{
 										ParameterProps: spec3.ParameterProps{
 											Name: "query",
@@ -265,6 +291,118 @@ var appManifestData = app.ManifestData{
 							},
 						},
 					},
+					"/searchUsers": {
+						Get: &spec3.Operation{
+							OperationProps: spec3.OperationProps{
+
+								OperationId: "getSearchUsers",
+
+								Parameters: []*spec3.Parameter{
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "limit",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "offset",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "page",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{},
+											},
+										},
+									},
+
+									{
+										ParameterProps: spec3.ParameterProps{
+											Name: "query",
+											In:   "query",
+											Schema: &spec.Schema{
+												SchemaProps: spec.SchemaProps{
+													Type: []string{"string"},
+												},
+											},
+										},
+									},
+								},
+
+								Responses: &spec3.Responses{
+									ResponsesProps: spec3.ResponsesProps{
+										Default: &spec3.Response{
+											ResponseProps: spec3.ResponseProps{
+												Description: "Default OK response",
+												Content: map[string]*spec3.MediaType{
+													"application/json": {
+														MediaTypeProps: spec3.MediaTypeProps{
+															Schema: &spec.Schema{
+																SchemaProps: spec.SchemaProps{
+																	Type: []string{"object"},
+																	Properties: map[string]spec.Schema{
+																		"hits": {
+																			SchemaProps: spec.SchemaProps{
+																				Type: []string{"array"},
+																				Items: &spec.SchemaOrArray{
+																					Schema: &spec.Schema{
+																						SchemaProps: spec.SchemaProps{
+
+																							Ref: spec.MustCreateRef("#/components/schemas/getSearchUsersUserHit"),
+																						}},
+																				},
+																			},
+																		},
+																		"maxScore": {
+																			SchemaProps: spec.SchemaProps{
+																				Type: []string{"number"},
+																			},
+																		},
+																		"offset": {
+																			SchemaProps: spec.SchemaProps{
+																				Type: []string{"integer"},
+																			},
+																		},
+																		"queryCost": {
+																			SchemaProps: spec.SchemaProps{
+																				Type: []string{"number"},
+																			},
+																		},
+																		"totalHits": {
+																			SchemaProps: spec.SchemaProps{
+																				Type: []string{"integer"},
+																			},
+																		},
+																	},
+																	Required: []string{
+																		"offset",
+																		"totalHits",
+																		"hits",
+																		"queryCost",
+																		"maxScore",
+																	},
+																}},
+														}},
+												},
+											},
+										},
+									}},
+							},
+						},
+					},
 				},
 				Cluster: map[string]spec3.PathProps{},
 				Schemas: map[string]spec.Schema{
@@ -307,6 +445,69 @@ var appManifestData = app.ManifestData{
 							},
 						},
 					},
+					"getSearchUsersUserHit": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"object"},
+							Properties: map[string]spec.Schema{
+								"email": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+								"lastSeenAt": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"integer"},
+									},
+								},
+								"lastSeenAtAge": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+								"login": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+								"name": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+								"provisioned": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"boolean"},
+									},
+								},
+								"role": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+								"score": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"number"},
+									},
+								},
+								"title": {
+									SchemaProps: spec.SchemaProps{
+										Type: []string{"string"},
+									},
+								},
+							},
+							Required: []string{
+								"name",
+								"title",
+								"login",
+								"email",
+								"role",
+								"lastSeenAt",
+								"lastSeenAtAge",
+								"provisioned",
+								"score",
+							},
+						},
+					},
 				},
 			},
 		},
@@ -346,6 +547,7 @@ var customRouteToGoResponseType = map[string]any{
 	"v0alpha1|Team|groups|GET": v0alpha1.GetGroups{},
 
 	"v0alpha1||<namespace>/searchTeams|GET": v0alpha1.GetSearchTeams{},
+	"v0alpha1||<namespace>/searchUsers|GET": v0alpha1.GetSearchUsers{},
 }
 
 // ManifestCustomRouteResponsesAssociator returns the associated response go type for a given kind, version, custom route path, and method, if one exists.

apps/iam/pkg/app/app.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/prometheus/client_golang/prometheus"
+
 	"github.com/grafana/grafana-app-sdk/app"
 	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana-app-sdk/operator"
@@ -12,7 +14,6 @@ import (
 	foldersKind "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
 	"github.com/grafana/grafana/apps/iam/pkg/reconcilers"
 	"github.com/grafana/grafana/pkg/services/authz"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 var appManifestData = app.ManifestData{
@@ -78,7 +79,7 @@ func New(cfg app.Config) (app.App, error) {
 	folderReconciler, err := reconcilers.NewFolderReconciler(reconcilers.ReconcilerConfig{
 		ZanzanaCfg: appSpecificConfig.ZanzanaClientCfg,
 		Metrics:    metrics,
-	})
+	}, appSpecificConfig.MetricsRegisterer)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create FolderReconciler: %w", err)
 	}

apps/iam/pkg/reconcilers/folder_reconciler.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/prometheus/client_golang/prometheus"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
@@ -35,9 +36,9 @@ type FolderReconciler struct {
 	metrics         *ReconcilerMetrics
 }
 
-func NewFolderReconciler(cfg ReconcilerConfig) (operator.Reconciler, error) {
+func NewFolderReconciler(cfg ReconcilerConfig, reg prometheus.Registerer) (operator.Reconciler, error) {
 	// Create Zanzana client
-	zanzanaClient, err := authz.NewRemoteZanzanaClient("*", cfg.ZanzanaCfg)
+	zanzanaClient, err := authz.NewRemoteZanzanaClient(cfg.ZanzanaCfg, reg)
 
 	if err != nil {
 		return nil, fmt.Errorf("unable to create zanzana client: %w", err)

apps/plugins/go.mod

@@ -74,7 +74,7 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/plugins/go.sum

@@ -174,8 +174,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

apps/provisioning/pkg/apis/provisioning/v0alpha1/jobs.go

@@ -198,6 +198,7 @@ type JobStatus struct {
 	Finished int64    `json:"finished,omitempty"`
 	Message  string   `json:"message,omitempty"`
 	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
 
 	// Optional value 0-100 that can be set while running
 	Progress float64 `json:"progress,omitempty"`
@@ -225,18 +226,20 @@ type JobResourceSummary struct {
 	Kind  string `json:"kind,omitempty"`
 	Total int64  `json:"total,omitempty"` // the count (if known)
 
-	Create int64 `json:"create,omitempty"`
-	Update int64 `json:"update,omitempty"`
-	Delete int64 `json:"delete,omitempty"`
-	Write  int64 `json:"write,omitempty"` // Create or update (export)
-	Error  int64 `json:"error,omitempty"` // The error count
+	Create  int64 `json:"create,omitempty"`
+	Update  int64 `json:"update,omitempty"`
+	Delete  int64 `json:"delete,omitempty"`
+	Write   int64 `json:"write,omitempty"`   // Create or update (export)
+	Error   int64 `json:"error,omitempty"`   // The error count
+	Warning int64 `json:"warning,omitempty"` // The warning count
 
 	// No action required (useful for sync)
 	Noop int64 `json:"noop,omitempty"`
 
-	// Report errors for this resource type
+	// Report errors/warnings for this resource type
 	// This may not be an exhaustive list and recommend looking at the logs for more info
-	Errors []string `json:"errors,omitempty"`
+	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
 }
 
 // HistoricJob is an append only log, saving all jobs that have been processed.

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.deepcopy.go

@@ -401,6 +401,11 @@ func (in *JobResourceSummary) DeepCopyInto(out *JobResourceSummary) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Warnings != nil {
+		in, out := &in.Warnings, &out.Warnings
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -468,6 +473,11 @@ func (in *JobStatus) DeepCopyInto(out *JobStatus) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Warnings != nil {
+		in, out := &in.Warnings, &out.Warnings
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Summary != nil {
 		in, out := &in.Summary, &out.Summary
 		*out = make([]*JobResourceSummary, len(*in))

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go

@@ -889,6 +889,13 @@ func schema_pkg_apis_provisioning_v0alpha1_JobResourceSummary(ref common.Referen
 							Format:      "int64",
 						},
 					},
+					"warning": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The error count",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 					"noop": {
 						SchemaProps: spec.SchemaProps{
 							Description: "No action required (useful for sync)",
@@ -898,7 +905,7 @@ func schema_pkg_apis_provisioning_v0alpha1_JobResourceSummary(ref common.Referen
 					},
 					"errors": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Report errors for this resource type This may not be an exhaustive list and recommend looking at the logs for more info",
+							Description: "Report errors/warnings for this resource type This may not be an exhaustive list and recommend looking at the logs for more info",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
@@ -911,6 +918,20 @@ func schema_pkg_apis_provisioning_v0alpha1_JobResourceSummary(ref common.Referen
 							},
 						},
 					},
+					"warnings": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 		},
@@ -1029,6 +1050,20 @@ func schema_pkg_apis_provisioning_v0alpha1_JobStatus(ref common.ReferenceCallbac
 							},
 						},
 					},
+					"warnings": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
 					"progress": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Optional value 0-100 that can be set while running",

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list

@@ -3,8 +3,10 @@ API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioni
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,FileList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,HistoryList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobResourceSummary,Errors
+API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobResourceSummary,Warnings
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,Errors
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,Summary
+API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,Warnings
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ManagerStats,Stats
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,MoveJobOptions,Paths
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,MoveJobOptions,Resources

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/jobresourcesummary.go

@@ -7,16 +7,18 @@ package v0alpha1
 // JobResourceSummaryApplyConfiguration represents a declarative configuration of the JobResourceSummary type for use
 // with apply.
 type JobResourceSummaryApplyConfiguration struct {
-	Group  *string  `json:"group,omitempty"`
-	Kind   *string  `json:"kind,omitempty"`
-	Total  *int64   `json:"total,omitempty"`
-	Create *int64   `json:"create,omitempty"`
-	Update *int64   `json:"update,omitempty"`
-	Delete *int64   `json:"delete,omitempty"`
-	Write  *int64   `json:"write,omitempty"`
-	Error  *int64   `json:"error,omitempty"`
-	Noop   *int64   `json:"noop,omitempty"`
-	Errors []string `json:"errors,omitempty"`
+	Group    *string  `json:"group,omitempty"`
+	Kind     *string  `json:"kind,omitempty"`
+	Total    *int64   `json:"total,omitempty"`
+	Create   *int64   `json:"create,omitempty"`
+	Update   *int64   `json:"update,omitempty"`
+	Delete   *int64   `json:"delete,omitempty"`
+	Write    *int64   `json:"write,omitempty"`
+	Error    *int64   `json:"error,omitempty"`
+	Warning  *int64   `json:"warning,omitempty"`
+	Noop     *int64   `json:"noop,omitempty"`
+	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
 }
 
 // JobResourceSummaryApplyConfiguration constructs a declarative configuration of the JobResourceSummary type for use with
@@ -89,6 +91,14 @@ func (b *JobResourceSummaryApplyConfiguration) WithError(value int64) *JobResour
 	return b
 }
 
+// WithWarning sets the Warning field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Warning field is set to the value of the last call.
+func (b *JobResourceSummaryApplyConfiguration) WithWarning(value int64) *JobResourceSummaryApplyConfiguration {
+	b.Warning = &value
+	return b
+}
+
 // WithNoop sets the Noop field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Noop field is set to the value of the last call.
@@ -106,3 +116,13 @@ func (b *JobResourceSummaryApplyConfiguration) WithErrors(values ...string) *Job
 	}
 	return b
 }
+
+// WithWarnings adds the given value to the Warnings field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Warnings field.
+func (b *JobResourceSummaryApplyConfiguration) WithWarnings(values ...string) *JobResourceSummaryApplyConfiguration {
+	for i := range values {
+		b.Warnings = append(b.Warnings, values[i])
+	}
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/jobstatus.go

@@ -16,6 +16,7 @@ type JobStatusApplyConfiguration struct {
 	Finished *int64                                     `json:"finished,omitempty"`
 	Message  *string                                    `json:"message,omitempty"`
 	Errors   []string                                   `json:"errors,omitempty"`
+	Warnings []string                                   `json:"warnings,omitempty"`
 	Progress *float64                                   `json:"progress,omitempty"`
 	Summary  []*provisioningv0alpha1.JobResourceSummary `json:"summary,omitempty"`
 	URLs     *RepositoryURLsApplyConfiguration          `json:"url,omitempty"`
@@ -69,6 +70,16 @@ func (b *JobStatusApplyConfiguration) WithErrors(values ...string) *JobStatusApp
 	return b
 }
 
+// WithWarnings adds the given value to the Warnings field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Warnings field.
+func (b *JobStatusApplyConfiguration) WithWarnings(values ...string) *JobStatusApplyConfiguration {
+	for i := range values {
+		b.Warnings = append(b.Warnings, values[i])
+	}
+	return b
+}
+
 // WithProgress sets the Progress field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Progress field is set to the value of the last call.

apps/scope/pkg/apis/scope/v0alpha1/types.go

@@ -211,6 +211,12 @@ type ScopeNavigationSpec struct {
 	Scope string `json:"scope"`
 	// Used to navigate to a sub-scope of the main scope. URL will not be used if this is set.
 	SubScope string `json:"subScope,omitempty"`
+	// Preload the subscope children, as soon as the ScopeNavigation is loaded.
+	PreLoadSubScopeChildren bool `json:"preLoadSubScopeChildren,omitempty"`
+	// Expands to display the subscope children when the ScopeNavigation is loaded.
+	ExpandOnLoad bool `json:"expandOnLoad,omitempty"`
+	// Makes the subscope not selectable, only serving as a way to build the tree.
+	DisableSubScopeSelection bool `json:"disableSubScopeSelection,omitempty"`
 }
 
 // Type of the item.

apps/scope/pkg/apis/scope/v0alpha1/zz_generated.openapi.go

@@ -642,6 +642,27 @@ func schema_pkg_apis_scope_v0alpha1_ScopeNavigationSpec(ref common.ReferenceCall
 							Format:      "",
 						},
 					},
+					"preLoadSubScopeChildren": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Preload the subscope children, as soon as the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"expandOnLoad": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Expands to display the subscope children when the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"disableSubScopeSelection": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Makes the subscope not selectable, only serving as a way to build the tree.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"url", "scope"},
 			},

conf/defaults.ini

@@ -1327,6 +1327,10 @@ alertmanager_max_silences_count =
 # Maximum silence size in bytes. Default: 0 (no limit).
 alertmanager_max_silence_size_bytes =
 
+# Maximum size of the expanded template output in bytes. Default: 10485760 (0 - no limit).
+# The result of template expansion will be truncated to the limit.
+alertmanager_max_template_output_bytes =
+
 # Redis server address or addresses. It can be a single Redis address if using Redis standalone,
 # or a list of comma-separated addresses if using Redis Cluster/Sentinel.
 ha_redis_address =

devenv/dev-dashboards/panel-gauge/gauge_tests_new.json

@@ -75,9 +75,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -152,9 +152,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -229,9 +229,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -306,9 +306,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -383,9 +383,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -460,9 +460,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -537,9 +537,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -627,9 +627,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -704,9 +704,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -781,9 +781,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -858,9 +858,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -952,9 +952,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1029,9 +1029,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1106,9 +1106,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1183,9 +1183,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1260,9 +1260,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1354,9 +1354,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1435,9 +1435,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1516,9 +1516,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1565,7 +1565,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1606,9 +1605,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1631,7 +1630,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 98,
           "min": 5,
           "noise": 22,
@@ -1649,7 +1647,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1690,9 +1687,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1715,7 +1712,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 98,
           "min": 5,
           "noise": 22,
@@ -1746,7 +1742,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1788,9 +1783,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1813,7 +1808,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 8,
           "min": 1,
           "noise": 2,
@@ -1831,7 +1825,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1873,9 +1866,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1898,7 +1891,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 12,
           "min": 1,
           "noise": 2,
@@ -1916,7 +1908,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -1957,9 +1948,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1982,7 +1973,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 100,
           "min": 10,
           "noise": 22,
@@ -2000,7 +1990,6 @@
       "datasource": {
         "type": "grafana-testdata-datasource"
       },
-      "description": "",
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -2041,9 +2030,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2066,7 +2055,6 @@
           "datasource": {
             "type": "grafana-testdata-datasource"
           },
-          "hide": false,
           "max": 100,
           "min": 10,
           "noise": 22,
@@ -2079,6 +2067,147 @@
       ],
       "title": "Backend",
       "type": "radialbar"
+    },
+    {
+      "collapsed": false,
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 66
+      },
+      "id": 35,
+      "panels": [],
+      "title": "Empty data",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "grafana-testdata-datasource"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 0,
+        "y": 67
+      },
+      "id": 36,
+      "options": {
+        "barWidthFactor": 0.5,
+        "effects": {
+          "barGlow": false,
+          "centerGlow": false,
+          "gradient": true,
+          "rounded": false,
+          "spotlight": false
+        },
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "segmentCount": 1,
+        "segmentSpacing": 0.3,
+        "shape": "gauge",
+        "showThresholdLabels": false,
+        "showThresholdMarkers": true,
+        "sparkline": true
+      },
+      "pluginVersion": "13.0.0-pre",
+      "targets": [
+        {
+          "refId": "A",
+          "scenarioId": "random_walk",
+          "seriesCount": 0
+        }
+      ],
+      "title": "Numeric, no series",
+      "type": "gauge"
+    },
+    {
+      "datasource": {
+        "type": "grafana-testdata-datasource"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 6,
+        "y": 67
+      },
+      "id": 37,
+      "options": {
+        "barWidthFactor": 0.5,
+        "effects": {
+          "barGlow": false,
+          "centerGlow": false,
+          "gradient": true,
+          "rounded": false,
+          "spotlight": false
+        },
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "segmentCount": 1,
+        "segmentSpacing": 0.3,
+        "shape": "gauge",
+        "showThresholdLabels": false,
+        "showThresholdMarkers": true,
+        "sparkline": true
+      },
+      "pluginVersion": "13.0.0-pre",
+      "targets": [
+        {
+          "refId": "A",
+          "scenarioId": "logs"
+        }
+      ],
+      "title": "Non-numeric",
+      "type": "gauge"
     }
   ],
   "preload": false,
@@ -2095,5 +2224,5 @@
   "timezone": "browser",
   "title": "Panel tests - Gauge (new)",
   "uid": "panel-tests-gauge-new",
-  "version": 6
+  "version": 9
 }

devenv/scopes/scopes-config.yaml

@@ -83,6 +83,12 @@ tree:
             nodeType: leaf
             linkId: test-case-2
             linkType: scope
+          test-case-redirect:
+            title: Test case with redirect
+            nodeType: leaf
+            linkId: shoe-org
+            linkType: scope
+            redirectPath: /d/dcb9f5e9-8066-4397-889e-864b99555dbb #Reliability dashboard
       clusters:
         title: Clusters
         nodeType: container
@@ -204,6 +210,7 @@ navigationTree:
     url: /d/UTv--wqMk
     scope: shoe-org
     subScope: apparel
+    disableSubScopeSelection: true
     children:
       - name: apparel-product-overview
         title: Product Overview

devenv/scopes/scopes.go

@@ -67,30 +67,34 @@ type ScopeFilterConfig struct {
 type TreeNode struct {
 	Title              string              `yaml:"title"`
 	SubTitle           string              `yaml:"subTitle,omitempty"`
+	Description        string              `yaml:"description,omitempty"`
 	NodeType           string              `yaml:"nodeType"`
 	LinkID             string              `yaml:"linkId,omitempty"`
 	LinkType           string              `yaml:"linkType,omitempty"`
 	DisableMultiSelect bool                `yaml:"disableMultiSelect,omitempty"`
+	RedirectPath       string              `yaml:"redirectPath,omitempty"`
 	Children           map[string]TreeNode `yaml:"children,omitempty"`
 }
 
 type NavigationConfig struct {
-	URL      string   `yaml:"url"`      // URL path (e.g., /d/abc123 or /explore)
-	Scope    string   `yaml:"scope"`    // Required scope
-	SubScope string   `yaml:"subScope"` // Optional subScope for hierarchical navigation
-	Title    string   `yaml:"title"`    // Display title
-	Groups   []string `yaml:"groups"`   // Optional groups for categorization
+	URL                      string   `yaml:"url"`                      // URL path (e.g., /d/abc123 or /explore)
+	Scope                    string   `yaml:"scope"`                    // Required scope
+	SubScope                 string   `yaml:"subScope"`                 // Optional subScope for hierarchical navigation
+	Title                    string   `yaml:"title"`                    // Display title
+	Groups                   []string `yaml:"groups"`                   // Optional groups for categorization
+	DisableSubScopeSelection bool     `yaml:"disableSubScopeSelection"` // Makes the subscope not selectable
 }
 
 // NavigationTreeNode represents a node in the navigation tree structure
 type NavigationTreeNode struct {
-	Name     string               `yaml:"name"`
-	Title    string               `yaml:"title"`
-	URL      string               `yaml:"url"`
-	Scope    string               `yaml:"scope"`
-	SubScope string               `yaml:"subScope,omitempty"`
-	Groups   []string             `yaml:"groups,omitempty"`
-	Children []NavigationTreeNode `yaml:"children,omitempty"`
+	Name                     string               `yaml:"name"`
+	Title                    string               `yaml:"title"`
+	URL                      string               `yaml:"url"`
+	Scope                    string               `yaml:"scope"`
+	SubScope                 string               `yaml:"subScope,omitempty"`
+	Groups                   []string             `yaml:"groups,omitempty"`
+	DisableSubScopeSelection bool                 `yaml:"disableSubScopeSelection,omitempty"`
+	Children                 []NavigationTreeNode `yaml:"children,omitempty"`
 }
 
 // Helper function to convert ScopeFilterConfig to v0alpha1.ScopeFilter
@@ -259,6 +263,7 @@ func (c *Client) createScopeNode(name string, node TreeNode, parentName string)
 	spec := v0alpha1.ScopeNodeSpec{
 		Title:              node.Title,
 		SubTitle:           node.SubTitle,
+		Description:        node.Description,
 		NodeType:           nodeType,
 		DisableMultiSelect: node.DisableMultiSelect,
 	}
@@ -272,6 +277,10 @@ func (c *Client) createScopeNode(name string, node TreeNode, parentName string)
 		spec.LinkType = linkType
 	}
 
+	if node.RedirectPath != "" {
+		spec.RedirectPath = node.RedirectPath
+	}
+
 	resource := v0alpha1.ScopeNode{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: apiVersion,
@@ -306,8 +315,9 @@ func (c *Client) createScopeNavigation(name string, nav NavigationConfig) error
 	prefixedScope := prefix + "-" + nav.Scope
 
 	spec := v0alpha1.ScopeNavigationSpec{
-		URL:   nav.URL,
-		Scope: prefixedScope,
+		URL:                      nav.URL,
+		Scope:                    prefixedScope,
+		DisableSubScopeSelection: nav.DisableSubScopeSelection,
 	}
 
 	if nav.SubScope != "" {
@@ -397,9 +407,10 @@ func treeToNavigations(node NavigationTreeNode, parentPath []string, dashboardCo
 
 	// Create navigation for this node
 	nav := NavigationConfig{
-		URL:   url,
-		Scope: node.Scope,
-		Title: node.Title,
+		URL:                      url,
+		Scope:                    node.Scope,
+		Title:                    node.Title,
+		DisableSubScopeSelection: node.DisableSubScopeSelection,
 	}
 	if node.SubScope != "" {
 		nav.SubScope = node.SubScope

docs/Makefile

@@ -7,8 +7,8 @@ MAKEFLAGS += --no-builtin-rule
 
 include docs.mk
 
-.PHONY: sources/panels-visualizations/query-transform-data/transform-data/index.md
-sources/panels-visualizations/query-transform-data/transform-data/index.md: ## Generate the Transform Data page source.
+.PHONY: sources/visualizations/panels-visualizations/query-transform-data/transform-data/index.md
+sources/visualizations/panels-visualizations/query-transform-data/transform-data/index.md: ## Generate the Transform Data page source.
 	cd $(CURDIR)/.. && \
 	npx tsx ./scripts/docs/generate-transformations.ts && \
 	npx prettier -w $(CURDIR)/$@

docs/sources/administration/plugin-management/plugin-install.md

@@ -21,11 +21,28 @@ weight: 120
 
 # Install a plugin
 
-Besides the UI, you can use alternative methods to install a plugin depending on your environment or set-up.
+{{< admonition type="note" >}}
+
+Installing plugins from the Grafana website into a Grafana Cloud instance will be removed in February 2026.
+
+If you're a Grafana Cloud user, follow [Install a plugin through the Grafana UI](#install-a-plugin-through-the-grafana-uiinstall-a-plugin-through-the-grafana-ui) instead.
+
+{{< /admonition >}}
+
+## Install a plugin through the Grafana UI
+
+The most common way to install a plugin is through the Grafana UI.
+
+1. In Grafana, click **Administration > Plugins and data > Plugins** in the side navigation menu to view all plugins.
+1. Browse and find a plugin.
+1. Click the plugin's logo.
+1. Click **Install**.
+
+You can use use the following alternative methods to install a plugin depending on your environment or setup.
 
 ## Install a plugin using Grafana CLI
 
-The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](/docs/grafana/<GRAFANA_VERSION>/cli/#plugins-commands).
+The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/cli/#plugins-commands).
 
 ## Install a plugin from a ZIP file
 

docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md

@@ -44,7 +44,7 @@ refs:
       destination: /docs/grafana-cloud/alerting-and-irm/oncall/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions
 ---
 
-# RBAC role definitions
+# Grafana RBAC role definitions
 
 {{< admonition type="note" >}}
 Available in [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud).
@@ -59,7 +59,7 @@ The following tables list permissions associated with basic and fixed roles. Thi
 | Grafana Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `basic_grafana_admin`                                                                                                                                    |
 | `fixed:authentication.config:writer`<br>`fixed:general.auth.config:writer`<br>`fixed:ldap:writer`<br>`fixed:licensing:writer`<br>`fixed:migrationassistant:migrator`<br>`fixed:org.users:writer`<br>`fixed:organization:maintainer`<br>`fixed:plugins:maintainer`<br>`fixed:provisioning:writer`<br>`fixed:roles:writer`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:stats:reader`<br>`fixed:support.bundles:writer`<br>`fixed:usagestats:reader`<br>`fixed:users:writer` | Default [Grafana server administrator](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#grafana-server-administrators) assignments. |
 | Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | `basic_admin`                                                                                                                                            | All roles assigned to Editor and `fixed:reports:writer` <br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:writer`<br>`fixed:plugins:writer`<br>`fixed:library.panels:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
-| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer`                                                                                                                                                                                                                                                                            | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.provenance:writer`                                                                                                                                                                                                                                                                        | Default [Editor](ref:rbac-basic-roles) assignments.                             |
 | Viewer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_viewer`                                                                                                                                           | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:folders.general:reader`<br>`fixed:datasources.builtin:reader`                                                                                                                                                                                             | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
 | No Basic Role                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default [No Basic Role](ref:rbac-basic-roles)                                   |
 
@@ -74,86 +74,86 @@ These UUIDs won't be available if your instance was created before Grafana v10.2
 To learn how to use the roles API to determine the role UUIDs, refer to [Manage RBAC roles](ref:rbac-manage-rbac-roles).
 {{< /admonition >}}
 
-| Fixed role                                   | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
-| -------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `fixed:alerting:reader`                      | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting:writer`                      | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
-| `fixed:alerting.instances:reader`            | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
-| `fixed:alerting.instances:writer`            | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
-| `fixed:alerting.notifications:reader`        | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
-| `fixed:alerting.notifications:writer`        | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
-| `fixed:alerting.provisioning:writer`         | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
-| `fixed:alerting.provisioning.secrets:reader` | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
-| `fixed:alerting.provisioning.status:writer`  | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting.rules:reader`                | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
-| `fixed:alerting.rules:writer`                | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
-| `fixed:annotations:reader`                   | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
-| `fixed:annotations:writer`                   | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:annotations.dashboard:writer`         | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:authentication.config:writer`         | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
-| `fixed:general.auth.config:writer`           | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
-| `fixed:dashboards:creator`                   | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
-| `fixed:dashboards:reader`                    | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
-| `fixed:dashboards:writer`                    | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
-| `fixed:dashboards.insights:reader`           | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
-| `fixed:dashboards.permissions:reader`        | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
-| `fixed:dashboards.permissions:writer`        | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
-| `fixed:dashboards.public:writer`             | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
-| `fixed:datasources:creator`                  | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
-| `fixed:datasources:explorer`                 | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
-| `fixed:datasources:reader`                   | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
-| `fixed:datasources:writer`                   | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
-| `fixed:datasources.builtin:reader`           | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
-| `fixed:datasources.caching:reader`           | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
-| `fixed:datasources.caching:writer`           | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
-| `fixed:datasources.id:reader`                | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
-| `fixed:datasources.insights:reader`          | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
-| `fixed:datasources.permissions:reader`       | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
-| `fixed:datasources.permissions:writer`       | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
-| `fixed:folders:creator`                      | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
-| `fixed:folders:reader`                       | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
-| `fixed:folders:writer`                       | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
-| `fixed:folders.general:reader`               | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
-| `fixed:folders.permissions:reader`           | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
-| `fixed:folders.permissions:writer`           | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
-| `fixed:ldap:reader`                          | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
-| `fixed:ldap:writer`                          | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
-| `fixed:library.panels:creator`               | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
-| `fixed:library.panels:general.reader`        | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
-| `fixed:library.panels:general.writer`        | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
-| `fixed:library.panels:reader`                | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
-| `fixed:library.panels:writer`                | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
-| `fixed:licensing:reader`                     | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
-| `fixed:licensing:writer`                     | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
-| `fixed:migrationassistant:migrator`          | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
-| `fixed:org.users:reader`                     | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
-| `fixed:org.users:writer`                     | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
-| `fixed:organization:maintainer`              | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
-| `fixed:organization:reader`                  | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
-| `fixed:organization:writer`                  | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
-| `fixed:plugins:maintainer`                   | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
-| `fixed:plugins:writer`                       | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
-| `fixed:plugins.app:reader`                   | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
-| `fixed:provisioning:writer`                  | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
-| `fixed:reports:reader`                       | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
-| `fixed:reports:writer`                       | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
-| `fixed:roles:reader`                         | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
-| `fixed:roles:resetter`                       | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
-| `fixed:roles:writer`                         | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
-| `fixed:serviceaccounts:creator`              | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
-| `fixed:serviceaccounts:reader`               | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
-| `fixed:serviceaccounts:writer`               | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
-| `fixed:settings:reader`                      | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
-| `fixed:settings:writer`                      | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
-| `fixed:stats:reader`                         | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
-| `fixed:support.bundles:reader`               | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
-| `fixed:support.bundles:writer`               | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
-| `fixed:teams:creator`                        | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
-| `fixed:teams:read`                           | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
-| `fixed:teams:writer`                         | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
-| `fixed:usagestats:reader`                    | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
-| `fixed:users:reader`                         | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
-| `fixed:users:writer`                         | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
+| Fixed role                                      | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
+| ----------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `fixed:alerting:reader`                         | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting:writer`                         | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
+| `fixed:alerting.instances:reader`               | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
+| `fixed:alerting.instances:writer`               | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
+| `fixed:alerting.notifications:reader`           | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
+| `fixed:alerting.notifications:writer`           | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
+| `fixed:alerting.provisioning:writer`            | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
+| `fixed:alerting.provisioning.secrets:reader`    | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
+| `fixed:alerting.provisioning.provenance:writer` | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting.rules:reader`                   | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
+| `fixed:alerting.rules:writer`                   | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
+| `fixed:annotations:reader`                      | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
+| `fixed:annotations:writer`                      | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:annotations.dashboard:writer`            | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:authentication.config:writer`            | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
+| `fixed:general.auth.config:writer`              | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
+| `fixed:dashboards:creator`                      | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
+| `fixed:dashboards:reader`                       | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
+| `fixed:dashboards:writer`                       | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
+| `fixed:dashboards.insights:reader`              | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
+| `fixed:dashboards.permissions:reader`           | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
+| `fixed:dashboards.permissions:writer`           | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
+| `fixed:dashboards.public:writer`                | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
+| `fixed:datasources:creator`                     | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
+| `fixed:datasources:explorer`                    | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
+| `fixed:datasources:reader`                      | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
+| `fixed:datasources:writer`                      | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
+| `fixed:datasources.builtin:reader`              | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
+| `fixed:datasources.caching:reader`              | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
+| `fixed:datasources.caching:writer`              | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
+| `fixed:datasources.id:reader`                   | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
+| `fixed:datasources.insights:reader`             | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
+| `fixed:datasources.permissions:reader`          | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
+| `fixed:datasources.permissions:writer`          | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
+| `fixed:folders:creator`                         | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
+| `fixed:folders:reader`                          | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
+| `fixed:folders:writer`                          | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
+| `fixed:folders.general:reader`                  | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
+| `fixed:folders.permissions:reader`              | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
+| `fixed:folders.permissions:writer`              | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
+| `fixed:ldap:reader`                             | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
+| `fixed:ldap:writer`                             | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
+| `fixed:library.panels:creator`                  | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
+| `fixed:library.panels:general.reader`           | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
+| `fixed:library.panels:general.writer`           | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
+| `fixed:library.panels:reader`                   | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
+| `fixed:library.panels:writer`                   | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
+| `fixed:licensing:reader`                        | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
+| `fixed:licensing:writer`                        | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
+| `fixed:migrationassistant:migrator`             | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
+| `fixed:org.users:reader`                        | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
+| `fixed:org.users:writer`                        | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
+| `fixed:organization:maintainer`                 | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
+| `fixed:organization:reader`                     | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
+| `fixed:organization:writer`                     | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
+| `fixed:plugins:maintainer`                      | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
+| `fixed:plugins:writer`                          | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
+| `fixed:plugins.app:reader`                      | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
+| `fixed:provisioning:writer`                     | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
+| `fixed:reports:reader`                          | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
+| `fixed:reports:writer`                          | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
+| `fixed:roles:reader`                            | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
+| `fixed:roles:resetter`                          | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
+| `fixed:roles:writer`                            | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
+| `fixed:serviceaccounts:creator`                 | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
+| `fixed:serviceaccounts:reader`                  | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
+| `fixed:serviceaccounts:writer`                  | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
+| `fixed:settings:reader`                         | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
+| `fixed:settings:writer`                         | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
+| `fixed:stats:reader`                            | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
+| `fixed:support.bundles:reader`                  | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
+| `fixed:support.bundles:writer`                  | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
+| `fixed:teams:creator`                           | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
+| `fixed:teams:read`                              | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
+| `fixed:teams:writer`                            | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
+| `fixed:usagestats:reader`                       | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
+| `fixed:users:reader`                            | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
+| `fixed:users:writer`                            | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
 
 ### Alerting roles
 
@@ -164,10 +164,20 @@ Access to Grafana alert rules is an intersection of many permissions:
 - Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
 - Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
 
-There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
+There is only one exclusion. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
 
 For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder](ref:plan-rbac-rollout-strategy-create-a-custom-role-to-access-alerts-in-a-folder).
 
+#### Alerting basic roles
+
+The following table lists the default RBAC alerting role assignments to the basic roles:
+
+| Basic role | Associated fixed roles                                                                                          | Description                                                                     |
+| ---------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
+| Admin      | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
+| Editor     | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.provenance:writer`                                      | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Viewer     | `fixed:alerting:reader`                                                                                         | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
+
 ### Grafana OnCall roles
 
 If you are using [Grafana OnCall](ref:oncall), you can try out the integration between Grafana OnCall and RBAC.

docs/sources/alerting/configure-notifications/manage-contact-points/integrations/configure-alertmanager.md

@@ -59,9 +59,9 @@ For more details on contact points, including how to test them and enable notifi
 
 ## Alertmanager settings
 
-| Option | Description                                                                                                                        |
-| ------ | ---------------------------------------------------------------------------------------------------------------------------------- |
-| URL    | The Alertmanager URL. This field is [protected](ref:configure-contact-points#protected-fields) from modification in Grafana Cloud. |
+| Option | Description                                                                                                       |
+| ------ | ----------------------------------------------------------------------------------------------------------------- |
+| URL    | The Alertmanager URL. This field is [protected](ref:configure-contact-points) from modification in Grafana Cloud. |
 
 #### Optional settings
 

docs/sources/alerting/configure-notifications/manage-contact-points/integrations/configure-jira.md

@@ -49,14 +49,14 @@ For more details on contact points, including how to test them and enable notifi
 
 ### Required Settings
 
-| Key                 | Description                                                                                                                                                                                                                                         |
-| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| URL                 | The URL of the REST API of your Jira instance. Supported versions: `2` and `3` (e.g., `https://your-domain.atlassian.net/rest/api/3`). This field is [protected](ref:configure-contact-points#protected-fields) from modification in Grafana Cloud. |
-| Basic Auth User     | Username for authentication. For Jira Cloud, use your email address.                                                                                                                                                                                |
-| Basic Auth Password | Password or personal token. For Jira Cloud, you need to obtain a personal token [here](https://id.atlassian.com/manage-profile/security/api-tokens) and use it as the password.                                                                     |
-| API Token           | An alternative to basic authentication, a bearer token is used to authorize the API requests. See [Jira documentation](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html) for more information.              |
-| Project Key         | The project key identifying the project where issues will be created. Project keys are unique identifiers for a project.                                                                                                                            |
-| Issue Type          | The type of issue to create (e.g., `Task`, `Bug`, `Incident`). Make sure that you specify a type that is available in your project.                                                                                                                 |
+| Key                 | Description                                                                                                                                                                                                                            |
+| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| URL                 | The URL of the REST API of your Jira instance. Supported versions: `2` and `3` (e.g., `https://your-domain.atlassian.net/rest/api/3`). This field is [protected](ref:configure-contact-points) from modification in Grafana Cloud.     |
+| Basic Auth User     | Username for authentication. For Jira Cloud, use your email address.                                                                                                                                                                   |
+| Basic Auth Password | Password or personal token. For Jira Cloud, you need to obtain a personal token [here](https://id.atlassian.com/manage-profile/security/api-tokens) and use it as the password.                                                        |
+| API Token           | An alternative to basic authentication, a bearer token is used to authorize the API requests. See [Jira documentation](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html) for more information. |
+| Project Key         | The project key identifying the project where issues will be created. Project keys are unique identifiers for a project.                                                                                                               |
+| Issue Type          | The type of issue to create (e.g., `Task`, `Bug`, `Incident`). Make sure that you specify a type that is available in your project.                                                                                                    |
 
 ### Optional Settings
 

docs/sources/alerting/configure-notifications/manage-contact-points/integrations/configure-mqtt.md

@@ -54,10 +54,10 @@ For more details on contact points, including how to test them and enable notifi
 
 ### Required Settings
 
-| Option     | Description                                                                                                                              |
-| ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
-| Broker URL | The URL of the MQTT broker. This field is [protected](ref:configure-contact-points#protected-fields) from modification in Grafana Cloud. |
-| Topic      | The topic to which the message will be sent.                                                                                             |
+| Option     | Description                                                                                                             |
+| ---------- | ----------------------------------------------------------------------------------------------------------------------- |
+| Broker URL | The URL of the MQTT broker. This field is [protected](ref:configure-contact-points) from modification in Grafana Cloud. |
+| Topic      | The topic to which the message will be sent.                                                                            |
 
 ### Optional Settings
 

docs/sources/alerting/configure-notifications/manage-contact-points/integrations/configure-slack.md

@@ -51,8 +51,8 @@ You can customize the `title` and `body` of the Slack message using [notificatio
 
 If you are using a Slack API Token, complete the following steps.
 
-1. Follow steps 1 and 2 of the [Slack API Quickstart](https://api.slack.com/start/quickstart).
-1. Add the [chat:write.public](https://api.slack.com/scopes/chat:write.public) scope to give your app the ability to post in all public channels without joining.
+1. Follow step 1 of the [Slack API Quickstart](https://docs.slack.dev/app-management/quickstart-app-settings/#creating) to create the app.
+1. Continue onto the second step of the [Slack API Quickstart](https://docs.slack.dev/app-management/quickstart-app-settings/#scopes) and add the [chat:write.public](https://api.slack.com/scopes/chat:write.public) scope as described to give your app the ability to post in all public channels without joining.
 1. In OAuth Tokens for Your Workspace, copy the Bot User OAuth Token.
 1. Open your Slack workplace.
 1. Right click the channel you want to receive notifications in.

docs/sources/alerting/configure-notifications/manage-contact-points/integrations/webhook-notifier.md

@@ -62,9 +62,9 @@ For more details on contact points, including how to test them and enable notifi
 
 ## Webhook settings
 
-| Option | Description                                                                                                                   |
-| ------ | ----------------------------------------------------------------------------------------------------------------------------- |
-| URL    | The Webhook URL. This field is [protected](ref:configure-contact-points#protected-fields) from modification in Grafana Cloud. |
+| Option | Description                                                                                                  |
+| ------ | ------------------------------------------------------------------------------------------------------------ |
+| URL    | The Webhook URL. This field is [protected](ref:configure-contact-points) from modification in Grafana Cloud. |
 
 #### Optional settings
 

docs/sources/alerting/set-up/configure-alert-state-history/index.md

@@ -62,6 +62,9 @@ The following steps describe a basic configuration:
 
    # The URL of the Loki server
    loki_remote_url = http://localhost:3100
+
+   [feature_toggles]
+   enable = alertingCentralAlertHistory
    ```
 
 1. **Configure the Loki data source in Grafana**

docs/sources/alerting/set-up/configure-rbac/_index.md

@@ -17,55 +17,166 @@ weight: 155
 
 # Configure RBAC
 
-Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
+[Role-based access control (RBAC)](/docs/grafana/latest/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
 
-A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
+A user is any individual who can log in to Grafana. Each user has a role that includes permissions. Permissions determine the tasks a user can perform in the system.
 
 Each permission contains one or more actions and a scope.
 
+## Role types
+
+Grafana has three types of roles for managing access:
+
+- **Basic roles**: Admin, Editor, Viewer, and No basic role. These are assigned to users and provide default access levels.
+- **Fixed roles**: Predefined groups of permissions for specific use cases. Basic roles automatically include certain fixed roles.
+- **Custom roles**: User-defined roles that combine specific permissions for granular access control.
+
+## Basic role permissions
+
+The following table summarizes the default alerting permissions for each basic role.
+
+| Capability                                | Admin | Editor | Viewer |
+| ----------------------------------------- | :---: | :----: | :----: |
+| View alert rules                          |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete alert rules      |   ✓   |   ✓    |        |
+| View silences                             |   ✓   |   ✓    |   ✓    |
+| Create, edit, and expire silences         |   ✓   |   ✓    |        |
+| View contact points and templates         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete contact points   |   ✓   |   ✓    |        |
+| View notification policies                |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete policies         |   ✓   |   ✓    |        |
+| View mute timings                         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete timing intervals |   ✓   |   ✓    |        |
+| Access provisioning API                   |   ✓   |   ✓    |        |
+| Export with decrypted secrets             |   ✓   |        |        |
+
+{{< admonition type="note" >}}
+Access to alert rules also requires permission to read the folder containing the rules and permission to query the data sources used in the rules.
+{{< /admonition >}}
+
 ## Permissions
 
-Grafana Alerting has the following permissions.
+Grafana Alerting has the following permissions organized by resource type.
 
-| Action                                       | Applicable scope                       | Description                                                                                                                                                                                                                                       |
-| -------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `alert.instances.external:read`              | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.                                                                                                                                                                                   |
-| `alert.instances.external:write`             | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting.                                                                                                                                                                                 |
-| `alert.instances:create`                     | n/a                                    | Create silences in the current organization.                                                                                                                                                                                                      |
-| `alert.instances:read`                       | n/a                                    | Read alerts and silences in the current organization.                                                                                                                                                                                             |
-| `alert.instances:write`                      | n/a                                    | Update and expire silences in the current organization.                                                                                                                                                                                           |
-| `alert.notifications.external:read`          | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                    |
-| `alert.notifications.external:write`         | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                  |
-| `alert.notifications:write`                  | n/a                                    | Manage templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                            |
-| `alert.notifications:read`                   | n/a                                    | Read all templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                          |
-| `alert.rules.external:read`                  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)                                                                                                                                                              |
-| `alert.rules.external:write`                 | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).                                                                                                                                                    |
-| `alert.rules:create`                         | `folders:*`<br>`folders:uid:*`         | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
-| `alert.rules:delete`                         | `folders:*`<br>`folders:uid:*`         | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
-| `alert.rules:read`                           | `folders:*`<br>`folders:uid:*`         | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
-| `alert.rules:write`                          | `folders:*`<br>`folders:uid:*`         | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
-| `alert.silences:create`                      | `folders:*`<br>`folders:uid:*`         | Create rule-specific silences in a folder and its subfolders.                                                                                                                                                                                     |
-| `alert.silences:read`                        | `folders:*`<br>`folders:uid:*`         | Read all general silences and rule-specific silences in a folder and its subfolders.                                                                                                                                                              |
-| `alert.silences:write`                       | `folders:*`<br>`folders:uid:*`         | Update and expire rule-specific silences in a folder and its subfolders.                                                                                                                                                                          |
-| `alert.provisioning:read`                    | n/a                                    | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                           |
-| `alert.provisioning.secrets:read`            | n/a                                    | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                                                                                                        |
-| `alert.provisioning:write`                   | n/a                                    | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                         |
-| `alert.provisioning.provenance:write`        | n/a                                    | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources                                                                                                                       |
-| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*`     | Read contact points.                                                                                                                                                                                                                              |
-| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*`     | Export contact points with decrypted secrets.                                                                                                                                                                                                     |
-| `alert.notifications.receivers:create`       | n/a                                    | Create a new contact points. The creator is automatically granted full access to the created contact point.                                                                                                                                       |
-| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*`     | Update existing contact points.                                                                                                                                                                                                                   |
-| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*`     | Update and delete existing contact points.                                                                                                                                                                                                        |
-| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*`     | Read permissions for contact points.                                                                                                                                                                                                              |
-| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*`     | Manage permissions for contact points.                                                                                                                                                                                                            |
-| `alert.notifications.time-intervals:read`    | n/a                                    | Read mute time intervals.                                                                                                                                                                                                                         |
-| `alert.notifications.time-intervals:write`   | n/a                                    | Create new or update existing mute time intervals.                                                                                                                                                                                                |
-| `alert.notifications.time-intervals:delete`  | n/a                                    | Delete existing time intervals.                                                                                                                                                                                                                   |
-| `alert.notifications.templates:read`         | n/a                                    | Read templates.                                                                                                                                                                                                                                   |
-| `alert.notifications.templates:write`        | n/a                                    | Create new or update existing templates.                                                                                                                                                                                                          |
-| `alert.notifications.templates:delete`       | n/a                                    | Delete existing templates.                                                                                                                                                                                                                        |
-| `alert.notifications.templates.test:write`   | n/a                                    | Test templates with custom payloads (preview and payload editor functionality).                                                                                                                                                                   |
-| `alert.notifications.routes:read`            | n/a                                    | Read notification policies.                                                                                                                                                                                                                       |
-| `alert.notifications.routes:write`           | n/a                                    | Create new, update and update notification policies.                                                                                                                                                                                              |
+### Alert rules
+
+Permissions for managing Grafana-managed alert rules.
+
+| Action               | Applicable scope               | Description                                                                                                                                                                                                                                       |
+| -------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
+| `alert.rules:read`   | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
+| `alert.rules:write`  | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
+| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
+
+### External alert rules
+
+Permissions for managing alert rules in external data sources that support alerting.
+
+| Action                       | Applicable scope                       | Description                                                                                    |
+| ---------------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------- |
+| `alert.rules.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki).          |
+| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
+
+### Alert instances and silences
+
+Permissions for managing alert instances and silences in Grafana.
+
+| Action                   | Applicable scope               | Description                                                                          |
+| ------------------------ | ------------------------------ | ------------------------------------------------------------------------------------ |
+| `alert.instances:read`   | n/a                            | Read alerts and silences in the current organization.                                |
+| `alert.instances:create` | n/a                            | Create silences in the current organization.                                         |
+| `alert.instances:write`  | n/a                            | Update and expire silences in the current organization.                              |
+| `alert.silences:read`    | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
+| `alert.silences:create`  | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders.                        |
+| `alert.silences:write`   | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders.             |
+
+### External alert instances
+
+Permissions for managing alert instances in external data sources.
+
+| Action                           | Applicable scope                       | Description                                                       |
+| -------------------------------- | -------------------------------------- | ----------------------------------------------------------------- |
+| `alert.instances.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.   |
+| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
+
+### Contact points
+
+Permissions for managing contact points (notification receivers).
+
+| Action                                       | Applicable scope                   | Description                                                                                                 |
+| -------------------------------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.receivers:list`         | n/a                                | List contact points in the current organization.                                                            |
+| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*` | Read contact points.                                                                                        |
+| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*` | Export contact points with decrypted secrets.                                                               |
+| `alert.notifications.receivers:create`       | n/a                                | Create a new contact points. The creator is automatically granted full access to the created contact point. |
+| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*` | Update existing contact points.                                                                             |
+| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*` | Update and delete existing contact points.                                                                  |
+| `alert.notifications.receivers:test`         | `receivers:*`<br>`receivers:uid:*` | Test contact points to verify their configuration.                                                          |
+| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*` | Read permissions for contact points.                                                                        |
+| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*` | Manage permissions for contact points.                                                                      |
+
+### Notification policies
+
+Permissions for managing notification policies (routing rules).
+
+| Action                             | Applicable scope | Description                                           |
+| ---------------------------------- | ---------------- | ----------------------------------------------------- |
+| `alert.notifications.routes:read`  | n/a              | Read notification policies.                           |
+| `alert.notifications.routes:write` | n/a              | Create new, update, and delete notification policies. |
+
+### Time intervals
+
+Permissions for managing mute time intervals.
+
+| Action                                      | Applicable scope | Description                                        |
+| ------------------------------------------- | ---------------- | -------------------------------------------------- |
+| `alert.notifications.time-intervals:read`   | n/a              | Read mute time intervals.                          |
+| `alert.notifications.time-intervals:write`  | n/a              | Create new or update existing mute time intervals. |
+| `alert.notifications.time-intervals:delete` | n/a              | Delete existing time intervals.                    |
+
+### Templates
+
+Permissions for managing notification templates.
+
+| Action                                     | Applicable scope | Description                                                                     |
+| ------------------------------------------ | ---------------- | ------------------------------------------------------------------------------- |
+| `alert.notifications.templates:read`       | n/a              | Read templates.                                                                 |
+| `alert.notifications.templates:write`      | n/a              | Create new or update existing templates.                                        |
+| `alert.notifications.templates:delete`     | n/a              | Delete existing templates.                                                      |
+| `alert.notifications.templates.test:write` | n/a              | Test templates with custom payloads (preview and payload editor functionality). |
+
+### General notifications
+
+Legacy permissions for managing all notification resources.
+
+| Action                      | Applicable scope | Description                                                                                              |
+| --------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------- |
+| `alert.notifications:read`  | n/a              | Read all templates, contact points, notification policies, and mute timings in the current organization. |
+| `alert.notifications:write` | n/a              | Manage templates, contact points, notification policies, and mute timings in the current organization.   |
+
+### External notifications
+
+Permissions for managing notification resources in external data sources.
+
+| Action                               | Applicable scope                       | Description                                                                                                      |
+| ------------------------------------ | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.   |
+| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
+
+### Provisioning
+
+Permissions for managing alerting resources via the provisioning API.
+
+| Action                                   | Applicable scope | Description                                                                                                                                                        |
+| ---------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `alert.provisioning:read`                | n/a              | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                            |
+| `alert.provisioning.secrets:read`        | n/a              | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                         |
+| `alert.provisioning:write`               | n/a              | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                          |
+| `alert.rules.provisioning:read`          | n/a              | Read Grafana alert rules via provisioning API. More specific than `alert.provisioning:read`.                                                                       |
+| `alert.rules.provisioning:write`         | n/a              | Create, update, and delete Grafana alert rules via provisioning API. More specific than `alert.provisioning:write`.                                                |
+| `alert.notifications.provisioning:read`  | n/a              | Read notification resources (contact points, notification policies, templates, time intervals) via provisioning API. More specific than `alert.provisioning:read`. |
+| `alert.notifications.provisioning:write` | n/a              | Create, update, and delete notification resources via provisioning API. More specific than `alert.provisioning:write`.                                             |
+| `alert.provisioning.provenance:write`    | n/a              | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources.                                       |
 
 To help plan your RBAC rollout strategy, refer to [Plan your RBAC rollout strategy](https://grafana.com/docs/grafana/next/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/).

docs/sources/alerting/set-up/configure-rbac/access-folders/index.md

@@ -16,7 +16,7 @@ title: Manage access using folders or data sources
 weight: 200
 ---
 
-## Manage access using folders or data sources
+# Manage access using folders or data sources
 
 You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders or data sources.
 

docs/sources/alerting/set-up/configure-rbac/access-roles/index.md

@@ -55,7 +55,7 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Full read-only access: `fixed:alerting:reader`                                           | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                                                                                               | Read alert rules, alert instances, silences, contact points, and notification policies in Grafana and external providers.                                |
 | Read via Provisioning API + Export Secrets: `fixed:alerting.provisioning.secrets:reader` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                                                                                                 | Read alert rules, alert instances, silences, contact points, and notification policies using the provisioning API and use export with decrypted secrets. |
 | Access to alert rules provisioning API: `fixed:alerting.provisioning:writer`             | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                                                                                        | Manage all alert rules, notification policies, contact points, templates, in the organization using the provisioning API.                                |
-| Set provisioning status: `fixed:alerting.provisioning.status:writer`                     | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
+| Set provisioning status: `fixed:alerting.provisioning.provenance:writer`                 | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
 | Contact Point Reader: `fixed:alerting.receivers:reader`                                  | `alert.notifications.receivers:read` for scope `receivers:*`                                                                                                                                                                                                                                                                                    | Read all contact points.                                                                                                                                 |
 | Contact Point Creator: `fixed:alerting.receivers:creator`                                | `alert.notifications.receivers:create`                                                                                                                                                                                                                                                                                                          | Create a new contact point. The user is automatically granted full access to the created contact point.                                                  |
 | Contact Point Writer: `fixed:alerting.receivers:writer`                                  | `alert.notifications.receivers:read`, `alert.notifications.receivers:write`, `alert.notifications.receivers:delete` for scope `receivers:*` and <br> `alert.notifications.receivers:create`                                                                                                                                                     | Create a new contact point and manage all existing contact points.                                                                                       |
@@ -63,8 +63,8 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Templates Writer: `fixed:alerting.templates:writer`                                      | `alert.notifications.templates:read`, `alert.notifications.templates:write`, `alert.notifications.templates:delete`, `alert.notifications.templates.test:write`                                                                                                                                                                                 | Create new and manage existing notification templates. Test templates with custom payloads.                                                              |
 | Time Intervals Reader: `fixed:alerting.time-intervals:reader`                            | `alert.notifications.time-intervals:read`                                                                                                                                                                                                                                                                                                       | Read all time intervals.                                                                                                                                 |
 | Time Intervals Writer: `fixed:alerting.time-intervals:writer`                            | `alert.notifications.time-intervals:read`, `alert.notifications.time-intervals:write`, `alert.notifications.time-intervals:delete`                                                                                                                                                                                                              | Create new and manage existing time intervals.                                                                                                           |
-| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all time intervals.                                                                                                                                 |
-| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read` `alert.notifications.routes:write`                                                                                                                                                                                                                                                                            | Create new and manage existing time intervals.                                                                                                           |
+| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all notification policies.                                                                                                                          |
+| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read`<br>`alert.notifications.routes:write`                                                                                                                                                                                                                                                                         | Create new and manage existing notification policies.                                                                                                    |
 
 ## Create custom roles
 

docs/sources/alerting/set-up/configure-roles/index.md

@@ -16,25 +16,27 @@ weight: 150
 
 # Configure roles and permissions
 
+This guide explains how to configure roles and permissions for Grafana Alerting for Grafana OSS users. You'll learn how to manage access using roles, folder permissions, and contact point permissions.
+
 A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system. For example, the Admin role includes permissions for an administrator to create and delete users.
 
 For more information, refer to [Organization roles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#organization-roles).
 
 ## Manage access using roles
 
-For Grafana OSS, there are three roles: Admin, Editor, and Viewer.
+Grafana OSS has three roles: Admin, Editor, and Viewer.
 
-Details of the roles and the access they provide for Grafana Alerting are below.
+The following table describes the access each role provides for Grafana Alerting.
 
-| Role   | Access                                                                                                                                                                    |
-| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                    |
+| Role   | Access                                                                                                                                                                                             |
+| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                                             |
+| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning.                          |
+| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning, as well as assign roles. |
 
 ## Assign roles
 
-To assign roles, admins need to complete the following steps.
+To assign roles, an admin needs to complete the following steps.
 
 1. Navigate to **Administration** > **Users and access** > **Users, Teams, or Service Accounts**.
 1. Search for the user, team or service account you want to add a role for.
@@ -58,32 +60,30 @@ Refer to the following table for details on the additional access provided by fo
 You can't use folders to customize access to notification resources.
 {{< /admonition >}}
 
-To manage folder permissions, complete the following steps.
+To manage folder permissions, complete the following steps:
 
 1. In the left-side menu, click **Dashboards**.
 1. Hover your mouse cursor over a folder and click **Go to folder**.
 1. Click **Manage permissions** from the Folder actions menu.
 1. Update or add permissions as required.
 
-## Manage access using contact point permissions
+## Manage access to contact points
 
-### Before you begin
-
-Extend or limit the access provided by a role to contact points by assigning permissions to individual contact point.
+Extend or limit the access provided by a role to contact points by assigning permissions to individual contact points.
 
 This allows different users, teams, or service accounts to have customized access to read or modify specific contact points.
 
 Refer to the following table for details on the additional access provided by contact point permissions.
 
-| Folder permission | Additional Access                                                                                                                             |
-| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| View              | View and export contact point as well as select it on the Alert rule edit page                                                                |
-| Edit              | Update or delete the contact point                                                                                                            |
-| Admin             | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
+| Contact point permission | Additional Access                                                                                                                             |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| View                     | View and export contact point as well as select it on the Alert rule edit page                                                                |
+| Edit                     | Update or delete the contact point                                                                                                            |
+| Admin                    | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
 
-### Steps
+### Assign contact point permissions
 
-To contact point permissions, complete the following steps.
+To manage contact point permissions, complete the following steps:
 
 1. In the left-side menu, click **Contact points**.
 1. Hover your mouse cursor over a contact point and click **More**.

docs/sources/as-code/infrastructure-as-code/grafana-operator/manage-dashboards-argocd.md

@@ -81,7 +81,7 @@ Replace the placeholders with your values:
 
 In your `grafana` directory, create a sub-folder called `dashboards`.
 
-This guide shows you how to creates three separate dashboards. For all dashboard configurations, replace the placeholders with your values:
+This guide shows you how to create three separate dashboards. For all dashboard configurations, replace the placeholders with your values:
 
 - _`<GRAFANA_CLOUD_STACK_NAME>`_: Name of your Grafana Cloud Stack
 - _`<GRAFANA_OPERATOR_NAMESPACE>`_: Namespace where the `grafana-operator` is deployed in your Kubernetes cluster

docs/sources/as-code/infrastructure-as-code/terraform/terraform-plugins.md

@@ -24,7 +24,7 @@ Before you begin, you should have the following available:
 - Administrator permissions in your Grafana instance; for more information on assigning Grafana RBAC roles, refer to [Assign RBAC roles](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/assign-rbac-roles/).
 
 {{< admonition type="note" >}}
-All of the following Terraform configuration files should be saved in the same directory.
+Save all of the following Terraform configuration files in the same directory.
 {{< /admonition >}}
 
 ## Configure the Grafana provider

docs/sources/as-code/observability-as-code/provision-resources/file-path-setup.md

@@ -54,7 +54,7 @@ For production systems, use the `folderFromFilesStructure` capability instead of
 ## Before you begin
 
 {{< admonition type="note" >}}
-Enable the `provisioning` and `kubernetesDashboards` feature toggles in Grafana to use this feature.
+Enable the `provisioning` feature toggle in Grafana to use this feature.
 {{< /admonition >}}
 
 To set up file provisioning, you need:
@@ -67,7 +67,7 @@ To set up file provisioning, you need:
 
 ## Enable required feature toggles and configure permitted paths
 
-To activate local file provisioning in Grafana, you need to enable the `provisioning` and `kubernetesDashboards` feature toggles.
+To activate local file provisioning in Grafana, you need to enable the `provisioning` feature toggle.
 For additional information about feature toggles, refer to [Configure feature toggles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles).
 
 The local setting must be a relative path and its relative path must be configured in the `permitted_provisioned_paths` configuration option.
@@ -82,12 +82,11 @@ Any subdirectories are automatically included.
 The values that you enter for the `permitted_provisioning_paths` become the base paths for those entered when you enter a local path in the **Connect to local storage** wizard.
 
 1. Open your Grafana configuration file, either `grafana.ini` or `custom.ini`. For file location based on operating system, refer to [Configuration file location](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/#experimental-feature-toggles).
-1. Locate or add a `[feature_toggles]` section. Add these values:
+1. Locate or add a `[feature_toggles]` section. Add this value:
 
    ```ini
    [feature_toggles]
    provisioning = true
-   kubernetesDashboards = true ; use k8s from browser
    ```
 
 1. Locate or add a `[paths]` section. To add more than one location, use the pipe character (`|`) to separate the paths. The list should not include empty paths or trailing pipes. Add these values:

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/_index.md

@@ -0,0 +1,147 @@
+---
+title: Git Sync deployment scenarios
+menuTitle: Deployment scenarios
+description: Learn about common Git Sync deployment patterns and configurations for different organizational needs
+weight: 450
+keywords:
+  - git sync
+  - deployment patterns
+  - scenarios
+  - multi-environment
+  - teams
+---
+
+# Git Sync deployment scenarios
+
+This guide shows practical deployment scenarios for Grafana’s Git Sync. Learn how to configure bidirectional synchronization between Grafana and Git repositories for teams, environments, and regions.
+
+{{< admonition type="caution" >}}
+Git Sync is an experimental feature. It reflects Grafana’s approach to Observability as Code and might include limitations or breaking changes. For current status and known limitations, refer to the [Git Sync introduction](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/intro-git-sync/).
+{{< /admonition >}}
+
+## Understand the relationship between key Git Sync components
+
+Before you explore the scenarios, understand how the key Git Sync components relate:
+
+- [Grafana instance](#grafana-instance)
+- [Git repository structure](#git-repository-structure)
+- [Git Sync repository resource](#git-sync-repository-resource)
+
+### Grafana instance
+
+A Grafana instance is a running Grafana server. Multiple instances can:
+
+- Connect to the same Git repository using different Repository configurations.
+- Sync from different branches of the same repository.
+- Sync from different paths within the same repository.
+- Sync from different repositories.
+
+### Git repository structure
+
+You can organize your Git repository in several ways:
+
+- Single branch, multiple paths: Use different directories for different purposes (for example, `dev/`, `prod/`, `team-a/`).
+- Multiple branches: Use different branches for different environments or teams (for example, `main`, `develop`, `team-a`).
+- Multiple repositories: Use separate repositories for different teams or environments.
+
+### Git Sync repository resource
+
+A repository resource is a Grafana configuration object that defines:
+
+- Which Git repository to sync with.
+- Which branch to use.
+- Which directory path to synchronize.
+- Sync behavior and workflows.
+
+Each repository resource creates bidirectional synchronization between a Grafana instance and a specific location in Git.
+
+## How does repository sync behave?
+
+With Git Sync you configure a repository resource to sync with your Grafana instance:
+
+1. Grafana monitors the specified Git location (repository, branch, and path).
+2. Grafana creates a folder in Dashboards (typically named after the repository).
+3. Grafana creates dashboards from dashboard JSON files in Git within this folder.
+4. Grafana commits dashboard changes made in the UI back to Git.
+5. Grafana pulls dashboard changes made in Git and updates dashboards in the UI.
+6. Synchronization occurs at regular intervals (configurable), or instantly if you use webhooks.
+
+You can find the provisioned dashboards organized in folders under **Dashboards**.
+
+## Example: Relationship between repository, branch, and path
+
+Here's a concrete example showing how the three parameters work together:
+
+**Configuration:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `team-platform/grafana/`
+
+**In Git (on branch `main`):**
+
+```
+your-org/grafana-manifests/
+├── .git/
+├── README.md
+├── team-platform/
+│   └── grafana/
+│       ├── cpu-metrics.json       ← Synced
+│       ├── memory-usage.json      ← Synced
+│       └── disk-io.json           ← Synced
+├── team-data/
+│   └── grafana/
+│       └── pipeline-stats.json    ← Not synced (different path)
+└── other-files.txt                 ← Not synced (outside path)
+```
+
+**In Grafana Dashboards view:**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── CPU Metrics Dashboard
+    ├── Memory Usage Dashboard
+    └── Disk I/O Dashboard
+```
+
+**Key points:**
+
+- Grafana only synchronizes files within the specified path (`team-platform/grafana/`).
+- Grafana ignores files in other paths or at the repository root.
+- The folder name in Grafana comes from the repository name.
+- Dashboard titles come from the JSON file content, not the filename.
+
+## Repository configuration flexibility
+
+Git Sync repositories support different combinations of repository URL, branch, and path:
+
+- Different Git repositories: Each environment or team can use its own repository.
+  - Instance A: `repository: your-org/grafana-prod`.
+  - Instance B: `repository: your-org/grafana-dev`.
+- Different branches: Use separate branches within the same repository.
+  - Instance A: `repository: your-org/grafana-manifests, branch: main`.
+  - Instance B: `repository: your-org/grafana-manifests, branch: develop`.
+- Different paths: Use different directory paths within the same repository.
+  - Instance A: `repository: your-org/grafana-manifests, branch: main, path: production/`.
+  - Instance B: `repository: your-org/grafana-manifests, branch: main, path: development/`.
+- Any combination: Mix and match based on your workflow requirements.
+
+## Scenarios
+
+Use these deployment scenarios to plan your Git Sync setup:
+
+- [Single instance](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/single-instance/)
+- [Git Sync for development and production environments](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/dev-prod/)
+- [Git Sync with regional replication](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/multi-region/)
+- [High availability](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/high-availability/)
+- [Git Sync in a shared Grafana instance](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/multi-team/)
+
+## Learn more
+
+Refer to the following documents to learn more:
+
+- [Git Sync introduction](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/intro-git-sync/)
+- [Git Sync setup guide](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-setup/)
+- [Dashboard provisioning](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/provisioning/)
+- [Observability as Code](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/)

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/dev-prod.md

@@ -0,0 +1,147 @@
+---
+title: Git Sync for development and production environments
+menuTitle: Across environments
+description: Use separate Grafana instances for development and production with Git-controlled promotion
+weight: 20
+---
+
+# Git Sync for development and production environments
+
+Use separate Grafana instances for development and production. Each syncs with different Git locations to test dashboards before production.
+
+## Use it for
+
+- **Staged deployments**: You need to test dashboard changes before production deployment.
+- **Change control**: You require approvals before dashboards reach production.
+- **Quality assurance**: You verify dashboard functionality in a non-production environment.
+- **Risk mitigation**: You minimize the risk of breaking production dashboards.
+
+## Architecture
+
+```
+┌────────────────────────────────────────────────────────────┐
+│              GitHub Repository                             │
+│   Repository: your-org/grafana-manifests                 │
+│   Branch: main                                             │
+│                                                            │
+│   grafana-manifests/                                     │
+│   ├── dev/                                                │
+│   │   ├── dashboard-new.json    ← Development dashboards │
+│   │   └── dashboard-test.json                            │
+│   │                                                       │
+│   └── prod/                                               │
+│       ├── dashboard-stable.json  ← Production dashboards │
+│       └── dashboard-approved.json                        │
+└────────────────────────────────────────────────────────────┘
+           ↕                                 ↕
+    Git Sync (dev/)              Git Sync (prod/)
+           ↕                                 ↕
+┌─────────────────────┐          ┌─────────────────────┐
+│  Dev Grafana        │          │  Prod Grafana       │
+│                     │          │                     │
+│  Repository:        │          │  Repository:        │
+│  - path: dev/       │          │  - path: prod/      │
+│                     │          │                     │
+│  Creates folder:    │          │  Creates folder:    │
+│  "grafana-manifests"│         │  "grafana-manifests"│
+└─────────────────────┘          └─────────────────────┘
+```
+
+## Repository structure
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+├── dev/
+│   ├── dashboard-new.json
+│   └── dashboard-test.json
+└── prod/
+    ├── dashboard-stable.json
+    └── dashboard-approved.json
+```
+
+**In Grafana Dashboards view:**
+
+**Dev instance:**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── New Dashboard
+    └── Test Dashboard
+```
+
+**Prod instance:**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── Stable Dashboard
+    └── Approved Dashboard
+```
+
+- Both instances create a folder named "grafana-manifests" (from repository name)
+- Each instance only shows dashboards from its configured path (`dev/` or `prod/`)
+- Dashboards appear with their titles from the JSON files
+
+## Configuration parameters
+
+Development:
+
+- Repository: `your-org/grafana-manifests`
+- Branch: `main`
+- Path: `dev/`
+
+Production:
+
+- Repository: `your-org/grafana-manifests`
+- Branch: `main`
+- Path: `prod/`
+
+## How it works
+
+1. Developers create and modify dashboards in development.
+2. Git Sync commits changes to `dev/`.
+3. You review changes in Git.
+4. You promote approved dashboards from `dev/` to `prod/`.
+5. Production syncs from `prod/`.
+6. Production dashboards update.
+
+## Alternative: Use branches
+
+Instead of using different paths, you can configure instances to use different branches:
+
+**Development instance:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `develop`
+- **Path**: `grafana/`
+
+**Production instance:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+With this approach:
+
+- Development changes go to the `develop` branch
+- Use Git merge or pull request workflows to promote changes from `develop` to `main`
+- Production automatically syncs from the `main` branch
+
+## Alternative: Use separate repositories for stricter isolation
+
+For stricter isolation, use completely separate repositories:
+
+**Development instance:**
+
+- **Repository**: `your-org/grafana-manifests-dev`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+**Production instance:**
+
+- **Repository**: `your-org/grafana-manifests-prod`
+- **Branch**: `main`
+- **Path**: `grafana/`

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/high-availability.md

@@ -0,0 +1,217 @@
+---
+title: Git Sync for high availability environments
+menuTitle: High availability
+description: Run multiple Grafana instances serving traffic simultaneously, synchronized via Git Sync
+weight: 50
+---
+
+# Git Sync for high availability environments
+
+## Primary–replica scenario
+
+Use a primary Grafana instance and one or more replicas synchronized with the same Git location to enable failover.
+
+### Use it for
+
+- **Automatic failover**: You need service continuity when the primary instance fails.
+- **High availability**: Your organization requires guaranteed dashboard availability.
+- **Simple HA setup**: You want high availability without the complexity of active–active.
+- **Maintenance windows**: You perform updates while another instance serves traffic.
+- **Business continuity**: Dashboard access can't tolerate downtime.
+
+### Architecture
+
+```
+┌─────────────────────────────────────────────────────┐
+│           GitHub Repository                         │
+│   Repository: your-org/grafana-manifests          │
+│   Branch: main                                      │
+│                                                     │
+│   grafana-manifests/                              │
+│   └── shared/                                      │
+│       ├── dashboard-metrics.json                   │
+│       ├── dashboard-alerts.json                    │
+│       └── dashboard-logs.json                      │
+└─────────────────────────────────────────────────────┘
+              ↕                           ↕
+        Git Sync (shared/)        Git Sync (shared/)
+              ↕                           ↕
+┌────────────────────┐          ┌────────────────────┐
+│  Master Grafana    │          │  Replica Grafana   │
+│    (Active)        │          │    (Standby)       │
+│                    │          │                    │
+│  Repository:       │          │  Repository:       │
+│  - path: shared/   │          │  - path: shared/   │
+└────────────────────┘          └────────────────────┘
+         │                               │
+         └───────────┬───────────────────┘
+                     ↓
+          ┌──────────────────────┐
+          │  Reverse Proxy       │
+          │  (Failover)          │
+          └──────────────────────┘
+```
+
+### Repository structure
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+└── shared/
+    ├── dashboard-metrics.json
+    ├── dashboard-alerts.json
+    └── dashboard-logs.json
+```
+
+**In Grafana Dashboards view (both instances):**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── Metrics Dashboard
+    ├── Alerts Dashboard
+    └── Logs Dashboard
+```
+
+- Master and replica instances show identical folder structure.
+- Both sync from the same `shared/` path.
+- Reverse proxy routes traffic to master (active) instance.
+- If master fails, proxy automatically fails over to replica (standby).
+- Users see the same dashboards regardless of which instance is serving traffic.
+
+### Configuration parameters
+
+Both master and replica instances use identical parameters:
+
+**Master instance:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `shared/`
+
+**Replica instance:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `shared/`
+
+### How it works
+
+1. Both instances stay synchronized through Git.
+2. Reverse proxy routes traffic to primary.
+3. Users edit on primary. Git Sync commits changes.
+4. Both instances pull latest changes to keep replica in sync.
+5. On primary failure, proxy fails over to replica.
+
+### Failover considerations
+
+- Health checks and monitoring.
+- Continuous syncing to minimize data loss.
+- Plan failback (automatic or manual).
+
+## Load balancer scenario
+
+Run multiple active Grafana instances behind a load balancer. All instances sync from the same Git location.
+
+### Use it for
+
+- **High traffic**: Your deployment needs to handle significant user load.
+- **Load distribution**: You want to distribute user requests across instances.
+- **Maximum availability**: You need service continuity during maintenance or failures.
+- **Scalability**: You want to add instances as load increases.
+- **Performance**: Users need fast response times under heavy load.
+
+### Architecture
+
+```
+┌─────────────────────────────────────────────────────┐
+│           GitHub Repository                         │
+│   Repository: your-org/grafana-manifests          │
+│   Branch: main                                      │
+│                                                     │
+│   grafana-manifests/                              │
+│   └── shared/                                      │
+│       ├── dashboard-metrics.json                   │
+│       ├── dashboard-alerts.json                    │
+│       └── dashboard-logs.json                      │
+└─────────────────────────────────────────────────────┘
+              ↕                           ↕
+        Git Sync (shared/)        Git Sync (shared/)
+              ↕                           ↕
+┌────────────────────┐          ┌────────────────────┐
+│  Grafana Instance 1│          │  Grafana Instance 2│
+│    (Active)        │          │    (Active)        │
+│                    │          │                    │
+│  Repository:       │          │  Repository:       │
+│  - path: shared/   │          │  - path: shared/   │
+└────────────────────┘          └────────────────────┘
+         │                               │
+         └───────────┬───────────────────┘
+                     ↓
+          ┌──────────────────────┐
+          │  Load Balancer       │
+          │  (Round Robin)       │
+          └──────────────────────┘
+```
+
+### Repository structure
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+└── shared/
+    ├── dashboard-metrics.json
+    ├── dashboard-alerts.json
+    └── dashboard-logs.json
+```
+
+**In Grafana Dashboards view (all instances):**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── Metrics Dashboard
+    ├── Alerts Dashboard
+    └── Logs Dashboard
+```
+
+- All instances show identical folder structure.
+- All instances sync from the same `shared/` path.
+- Load balancer distributes requests across all active instances.
+- Any instance can serve read requests.
+- Any instance can accept dashboard modifications.
+- Changes propagate to all instances through Git.
+
+### Configuration parameters
+
+All instances use identical parameters:
+
+**Instance 1:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `shared/`
+
+**Instance 2:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `shared/`
+
+### How it works
+
+1. All instances stay synchronized through Git.
+2. Load balancer distributes incoming traffic across all active instances.
+3. Users can view dashboards from any instance.
+4. When a user modifies a dashboard on any instance, Git Sync commits the change.
+5. All other instances pull the updated dashboard during their next sync cycle, or instantly if webhooks are configured.
+6. If one instance fails, load balancer stops routing traffic to it and remaining instances continue serving.
+
+### Important considerations
+
+- **Eventually consistent**: Due to sync intervals, instances may briefly have different dashboard versions.
+- **Concurrent edits**: Multiple users editing the same dashboard on different instances can cause conflicts.
+- **Database sharing**: Instances should share the same backend database for user sessions, preferences, and annotations.
+- **Stateless design**: Design for stateless operation where possible to maximize load balancing effectiveness.

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/multi-region.md

@@ -0,0 +1,93 @@
+---
+title: Git Sync with regional replication
+menuTitle: Regional replication
+description: Synchronize multiple regional Grafana instances from a shared Git location
+weight: 30
+---
+
+# Git Sync with regional replication
+
+Deploy multiple Grafana instances across regions. Synchronize them with the same Git location to ensure consistent dashboards everywhere.
+
+## Use it for
+
+- **Geographic distribution**: You deploy Grafana close to users in different regions.
+- **Latency reduction**: Users need fast dashboard access from their location.
+- **Data sovereignty**: You keep dashboard data in specific regions.
+- **High availability**: You need dashboard availability across regions.
+- **Consistent experience**: All users see the same dashboards regardless of region.
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────┐
+│           GitHub Repository                         │
+│   Repository: your-org/grafana-manifests          │
+│   Branch: main                                      │
+│                                                     │
+│   grafana-manifests/                              │
+│   └── shared/                                      │
+│       ├── dashboard-global.json                    │
+│       ├── dashboard-metrics.json                   │
+│       └── dashboard-logs.json                      │
+└─────────────────────────────────────────────────────┘
+              ↕                           ↕
+       Git Sync (shared/)         Git Sync (shared/)
+              ↕                           ↕
+┌────────────────────┐          ┌────────────────────┐
+│  US Region         │          │  EU Region         │
+│  Grafana           │          │  Grafana           │
+│                    │          │                    │
+│  Repository:       │          │  Repository:       │
+│  - path: shared/   │          │  - path: shared/   │
+└────────────────────┘          └────────────────────┘
+```
+
+## Repository structure
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+└── shared/
+    ├── dashboard-global.json
+    ├── dashboard-metrics.json
+    └── dashboard-logs.json
+```
+
+**In Grafana Dashboards view (all regions):**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── Global Dashboard
+    ├── Metrics Dashboard
+    └── Logs Dashboard
+```
+
+- All regional instances (US, EU, etc.) show identical folder structure
+- Same folder name "grafana-manifests" in every region
+- Same dashboards synced from the `shared/` path appear everywhere
+- Users in any region see the exact same dashboards with the same titles
+
+## Configuration parameters
+
+All regions:
+
+- Repository: `your-org/grafana-manifests`
+- Branch: `main`
+- Path: `shared/`
+
+## How it works
+
+1. All regional instances pull dashboards from `shared/`.
+2. Any region’s change commits to Git.
+3. Other regions pull updates during the next sync (or via webhooks).
+4. Changes propagate across regions per sync interval.
+
+## Considerations
+
+- **Write conflicts**: If users in different regions modify the same dashboard simultaneously, Git uses last-write-wins.
+- **Primary region**: Consider designating one region as the primary location for making dashboard changes.
+- **Propagation time**: Changes propagate to all regions within the configured sync interval, or instantly if webhooks are configured.
+- **Network reliability**: Ensure all regions have reliable connectivity to the Git repository.

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/multi-team.md

@@ -0,0 +1,169 @@
+---
+title: Multiple team Git Sync
+menuTitle: Shared instance
+description: Use multiple Git repositories with one Grafana instance, one repository per team
+weight: 60
+---
+
+# Git Sync in a Grafana instance shared by multiple teams
+
+Use a single Grafana instance with multiple Repository resources, one per team. Each team manages its own dashboards while sharing Grafana.
+
+## Use it for
+
+- **Team autonomy**: Different teams manage their own dashboards independently.
+- **Organizational structure**: Dashboard organization aligns with team structure.
+- **Resource efficiency**: Multiple teams share Grafana infrastructure.
+- **Cost optimization**: You reduce infrastructure costs while maintaining team separation.
+- **Collaboration**: Teams can view each other’s dashboards while managing their own.
+
+## Architecture
+
+```
+┌─────────────────────────┐  ┌─────────────────────────┐
+│  Platform Team Repo     │  │  Data Team Repo         │
+│  platform-dashboards    │  │  data-dashboards        │
+│                         │  │                         │
+│  platform-dashboards/   │  │  data-dashboards/       │
+│  └── grafana/           │  │  └── grafana/           │
+│      ├── k8s.json       │  │      ├── pipeline.json  │
+│      └── infra.json     │  │      └── analytics.json │
+└─────────────────────────┘  └─────────────────────────┘
+           ↕                            ↕
+    Git Sync (grafana/)          Git Sync (grafana/)
+           ↕                            ↕
+        ┌──────────────────────────────────────┐
+        │       Grafana Instance               │
+        │                                      │
+        │  Repository 1:                       │
+        │  - repo: platform-dashboards         │
+        │  → Creates "platform-dashboards"     │
+        │                                      │
+        │  Repository 2:                       │
+        │  - repo: data-dashboards             │
+        │  → Creates "data-dashboards"         │
+        └──────────────────────────────────────┘
+```
+
+## Repository structure
+
+**In Git (separate repositories):**
+
+**Platform team repository:**
+
+```
+your-org/platform-dashboards
+└── grafana/
+    ├── dashboard-k8s.json
+    └── dashboard-infra.json
+```
+
+**Data team repository:**
+
+```
+your-org/data-dashboards
+└── grafana/
+    ├── dashboard-pipeline.json
+    └── dashboard-analytics.json
+```
+
+**In Grafana Dashboards view:**
+
+```
+Dashboards
+├── 📁 platform-dashboards/
+│   ├── Kubernetes Dashboard
+│   └── Infrastructure Dashboard
+└── 📁 data-dashboards/
+    ├── Pipeline Dashboard
+    └── Analytics Dashboard
+```
+
+- Two separate folders created (one per Repository resource).
+- Folder names derived from repository names.
+- Each team has complete control over their own repository.
+- Teams can independently manage permissions, branches, and workflows in their repos.
+- All teams can view each other's dashboards in Grafana but manage only their own.
+
+## Configuration parameters
+
+**Platform team repository:**
+
+- **Repository**: `your-org/platform-dashboards`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+**Data team repository:**
+
+- **Repository**: `your-org/data-dashboards`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+## How it works
+
+1. Each team has their own Git repository for complete autonomy.
+2. Each repository resource in Grafana creates a separate folder.
+3. Platform team dashboards sync from `your-org/platform-dashboards` repository.
+4. Data team dashboards sync from `your-org/data-dashboards` repository.
+5. Teams can independently manage their repository settings, access controls, and workflows.
+6. All teams can view each other's dashboards in Grafana but edit only their own.
+
+## Scale to more teams
+
+Adding additional teams is straightforward. For a third team, create a new repository and configure:
+
+- **Repository**: `your-org/security-dashboards`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+This creates a new "security-dashboards" folder in the same Grafana instance.
+
+## Alternative: Shared repository with different paths
+
+For teams that prefer sharing a single repository, use different paths to separate team dashboards:
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+├── team-platform/
+│   ├── dashboard-k8s.json
+│   └── dashboard-infra.json
+└── team-data/
+    ├── dashboard-pipeline.json
+    └── dashboard-analytics.json
+```
+
+**Configuration:**
+
+**Platform team:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `team-platform/`
+
+**Data team:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `team-data/`
+
+This approach provides simpler repository management but less isolation between teams.
+
+## Alternative: Different branches per team
+
+For teams wanting their own branch in a shared repository:
+
+**Platform team:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `team-platform`
+- **Path**: `grafana/`
+
+**Data team:**
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `team-data`
+- **Path**: `grafana/`
+
+This allows teams to use Git branch workflows for collaboration while sharing the same repository.

docs/sources/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios/single-instance.md

@@ -0,0 +1,86 @@
+---
+title: Single instance Git Sync
+menuTitle: Single instance
+description: Synchronize a single Grafana instance with a Git repository
+weight: 10
+---
+
+# Single instance Git Sync
+
+Use a single Grafana instance synchronized with a Git repository. This is the foundation for Git Sync and helps you understand bidirectional synchronization.
+
+## Use it for
+
+- **Getting started**: You want to learn how Git Sync works before implementing complex scenarios.
+- **Personal projects**: Individual developers manage their own dashboards.
+- **Small teams**: You have a simple setup without multiple environments or complex workflows.
+- **Development environments**: You need quick prototyping and testing.
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────┐
+│           GitHub Repository                         │
+│   Repository: your-org/grafana-manifests          │
+│   Branch: main                                      │
+│                                                     │
+│   grafana-manifests/                              │
+│   └── grafana/                                     │
+│       ├── dashboard-1.json                         │
+│       ├── dashboard-2.json                         │
+│       └── dashboard-3.json                         │
+└─────────────────────────────────────────────────────┘
+                        ↕
+              Git Sync (bidirectional)
+                        ↕
+        ┌─────────────────────────────┐
+        │    Grafana Instance         │
+        │                             │
+        │  Repository Resource:       │
+        │  - url: grafana-manifests  │
+        │  - branch: main             │
+        │  - path: grafana/           │
+        │                             │
+        │  Creates folder:            │
+        │  "grafana-manifests"       │
+        └─────────────────────────────┘
+```
+
+## Repository structure
+
+**In Git:**
+
+```
+your-org/grafana-manifests
+└── grafana/
+    ├── dashboard-1.json
+    ├── dashboard-2.json
+    └── dashboard-3.json
+```
+
+**In Grafana Dashboards view:**
+
+```
+Dashboards
+└── 📁 grafana-manifests/
+    ├── Dashboard 1
+    ├── Dashboard 2
+    └── Dashboard 3
+```
+
+- A folder named "grafana-manifests" (from repository name) contains all synced dashboards.
+- Each JSON file becomes a dashboard with its title displayed in the folder.
+- Users browse dashboards organized under this folder structure.
+
+## Configuration parameters
+
+Configure your Grafana instance to synchronize with:
+
+- **Repository**: `your-org/grafana-manifests`
+- **Branch**: `main`
+- **Path**: `grafana/`
+
+## How it works
+
+1. **From Grafana to Git**: When users create or modify dashboards in Grafana, Git Sync commits changes to the `grafana/` directory on the `main` branch.
+2. **From Git to Grafana**: When dashboard JSON files are added or modified in the `grafana/` directory, Git Sync pulls these changes into Grafana.

docs/sources/as-code/observability-as-code/provision-resources/git-sync-setup.md

@@ -29,76 +29,70 @@ You can sign up to the private preview using the [Git Sync early access form](ht
 
 {{< /admonition >}}
 
-Git Sync lets you manage Grafana dashboards as code by storing dashboard JSON files and folders in a remote GitHub repository.
-
-To set up Git Sync and synchronize with a GitHub repository follow these steps:
-
-1. [Enable feature toggles in Grafana](#enable-required-feature-toggles) (first time set up).
-1. [Create a GitHub access token](#create-a-github-access-token).
-1. [Configure a connection to your GitHub repository](#set-up-the-connection-to-github).
-1. [Choose what content to sync with Grafana](#choose-what-to-synchronize).
-
-Optionally, you can [extend Git Sync](#configure-webhooks-and-image-rendering) by enabling pull request notifications and image previews of dashboard changes.
-
-| Capability                                            | Benefit                                                                         | Requires                               |
-| ----------------------------------------------------- | ------------------------------------------------------------------------------- | -------------------------------------- |
-| Adds a table summarizing changes to your pull request | Provides a convenient way to save changes back to GitHub.                       | Webhooks configured                    |
-| Add a dashboard preview image to a PR                 | View a snapshot of dashboard changes to a pull request without opening Grafana. | Image renderer and webhooks configured |
-
-{{< admonition type="note" >}}
-
-Alternatively, you can configure a local file system instead of using GitHub. Refer to [Set up file provisioning](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/file-path-setup/) for more information.
-
-{{< /admonition >}}
-
-## Performance impacts of enabling Git Sync
-
-Git Sync is an experimental feature and is under continuous development. Reporting any issues you encounter can help us improve Git Sync.
-
-When Git Sync is enabled, the database load might increase, especially for instances with a lot of folders and nested folders. Evaluate the performance impact, if any, in a non-production environment.
+This guide shows you how to set up Git Sync to synchronize your Grafana dashboards and folders with a GitHub repository. You'll set up Git Sync to enable version-controlled dashboard management either [using the UI](#set-up-git-sync-using-grafana-ui) or [as code](#set-up-git-sync-as-code).
 
 ## Before you begin
 
-{{< admonition type="caution" >}}
+Before you begin, ensure you have the following:
 
-Refer to [Known limitations](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/intro-git-sync#known-limitations/) before using Git Sync.
+- A Grafana instance (Cloud, OSS, or Enterprise).
+- If you're [using webhooks or image rendering](#extend-git-sync-for-real-time-notification-and-image-rendering), a public instance with external access
+- Administration rights in your Grafana organization
+- A [GitHub private access token](#create-a-github-access-token)
+- A GitHub repository to store your dashboards in
+- Optional: The [Image Renderer service](https://github.com/grafana/grafana-image-renderer) to save image previews with your PRs
+
+### Known limitations
+
+Refer to [Known limitations](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/intro-git-sync#known-limitations) before using Git Sync.
+
+Refer to [Supported resources](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/intro-git-sync#supported-resources) for details about which resources you can sync.
+
+### Performance considerations
+
+When Git Sync is enabled, the database load might increase, especially for instances with many folders and nested folders. Evaluate the performance impact, if any, in a non-production environment.
+
+Git Sync is under continuous development. [Report any issues](https://grafana.com/help/) you encounter to help us improve Git Sync.
+
+## Set up Git Sync
+
+To set up Git Sync and synchronize with a GitHub repository, follow these steps:
+
+1. [Enable feature toggles in Grafana](#enable-required-feature-toggles) (first time setup)
+1. [Create a GitHub access token](#create-a-github-access-token)
+1. Set up Git Sync [using the UI](#set-up-git-sync-using-grafana-ui) or [as code](#set-up-git-sync-as-code)
+
+After setup, you can [verify your dashboards](#verify-your-dashboards-in-grafana).
+
+Optionally, you can also [extend Git Sync with webhooks and image rendering](#extend-git-sync-for-real-time-notification-and-image-rendering).
+
+{{< admonition type="note" >}}
+
+Alternatively, you can configure a local file system instead of using GitHub. Refer to [Set up file provisioning](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/file-path-setup/) for more information.
 
 {{< /admonition >}}
 
-### Requirements
-
-To set up Git Sync, you need:
-
-- Administration rights in your Grafana organization.
-- Enable the required feature toggles in your Grafana instance. Refer to [Enable required feature toggles](#enable-required-feature-toggles) for instructions.
-- A GitHub repository to store your dashboards in.
-  - If you want to use a local file path, refer to [the local file path guide](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/file-path-setup/).
-- A GitHub access token. The Grafana UI will prompt you during setup.
-- Optional: A public Grafana instance.
-- Optional: The [Image Renderer service](https://github.com/grafana/grafana-image-renderer) to save image previews with your PRs.
-
 ## Enable required feature toggles
 
-To activate Git Sync in Grafana, you need to enable the `provisioning` and `kubernetesDashboards` feature toggles.
-For additional information about feature toggles, refer to [Configure feature toggles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles).
+To activate Git Sync in Grafana, you need to enable the `provisioning` feature toggle. For more information about feature toggles, refer to [Configure feature toggles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/#experimental-feature-toggles).
 
-To enable the required feature toggles, add them to your Grafana configuration file:
+To enable the required feature toggle:
 
 1. Open your Grafana configuration file, either `grafana.ini` or `custom.ini`. For file location based on operating system, refer to [Configuration file location](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/#experimental-feature-toggles).
-1. Locate or add a `[feature_toggles]` section. Add these values:
+1. Locate or add a `[feature_toggles]` section. Add this value:
 
    ```ini
    [feature_toggles]
    provisioning = true
-   kubernetesDashboards = true ; use k8s from browser
    ```
 
 1. Save the changes to the file and restart Grafana.
 
 ## Create a GitHub access token
 
-Whenever you connect to a GitHub repository, you need to create a GitHub access token with specific repository permissions.
-This token needs to be added to your Git Sync configuration to enable read and write permissions between Grafana and GitHub repository.
+Whenever you connect to a GitHub repository, you need to create a GitHub access token with specific repository permissions. This token needs to be added to your Git Sync configuration to enable read and write permissions between Grafana and GitHub repository.
+
+To create a GitHub access token:
 
 1. Create a new token using [Create new fine-grained personal access token](https://github.com/settings/personal-access-tokens/new). Refer to [Managing your personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) for instructions.
 1. Under **Permissions**, expand **Repository permissions**.
@@ -112,19 +106,23 @@ This token needs to be added to your Git Sync configuration to enable read and w
 1. Verify the options and select **Generate token**.
 1. Copy the access token. Leave the browser window available with the token until you've completed configuration.
 
-GitHub Apps are not currently supported.
+GitHub Apps aren't currently supported.
 
-## Set up the connection to GitHub
+## Set up Git Sync using Grafana UI
 
-Use **Provisioning** to guide you through setting up Git Sync to use a GitHub repository.
+1. [Configure a connection to your GitHub repository](#set-up-the-connection-to-github)
+1. [Choose what content to sync with Grafana](#choose-what-to-synchronize)
+1. [Choose additional settings](#choose-additional-settings)
+
+### Set up the connection to GitHub
+
+Use **Provisioning** to guide you through setting up Git Sync to use a GitHub repository:
 
 1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
 1. Select **Administration** in the left-side menu and then **Provisioning**.
 1. Select **Configure Git Sync**.
 
-### Connect to external storage
-
-To connect your GitHub repository, follow these steps:
+To connect your GitHub repository:
 
 1. Paste your GitHub personal access token into **Enter your access token**. Refer to [Create a GitHub access token](#create-a-github-access-token) for instructions.
 1. Paste the **Repository URL** for your GitHub repository into the text box.
@@ -134,32 +132,12 @@ To connect your GitHub repository, follow these steps:
 
 ### Choose what to synchronize
 
-In this step you can decide which elements to synchronize. Keep in mind the available options depend on the status of your Grafana instance.
+In this step, you can decide which elements to synchronize. The available options depend on the status of your Grafana instance:
 
 - If the instance contains resources in an incompatible data format, you'll have to migrate all the data using instance sync. Folder sync won't be supported.
-- If there is already another connection using folder sync, instance sync won't be offered.
+- If there's already another connection using folder sync, instance sync won't be offered.
 
-#### Synchronization limitations
-
-Git Sync only supports dashboards and folders. Alerts, panels, and other resources are not supported yet.
-
-{{< admonition type="caution" >}}
-
-Refer to [Known limitations](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/intro-git-sync#known-limitations/) before using Git Sync. Refer to [Supported resources](/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/intro-git-sync#supported-resources) for details about which resources you can sync.
-
-{{< /admonition >}}
-
-Full instance sync is not available in Grafana Cloud.
-
-In Grafana OSS/Enterprise:
-
-- If you try to perform a full instance sync with resources that contain alerts or panels, Git Sync will block the connection.
-- You won't be able to create new alerts or library panels after the setup is completed.
-- If you opted for full instance sync and want to use alerts and library panels, you'll have to delete the synced repository and connect again with folder sync.
-
-#### Set up synchronization
-
-To set up synchronization, choose to either sync your entire organization resources with external storage, or to sync certain resources to a new Grafana folder (with up to 10 connections).
+To set up synchronization:
 
 - Choose **Sync all resources with external storage** if you want to sync and manage your entire Grafana instance through external storage. With this option, all of your dashboards are synced to that one repository. You can only have one provisioned connection with this selection, and you won't have the option of setting up additional repositories to connect to.
 - Choose **Sync external storage to new Grafana folder** to sync external resources into a new folder without affecting the rest of your instance. You can repeat this process for up to 10 connections.
@@ -170,20 +148,183 @@ Next, enter a **Display name** for the repository connection. Resources stored i
 
 Finally, you can set up how often your configured storage is polled for updates.
 
+To configure additional settings:
+
 1. For **Update instance interval (seconds)**, enter how often you want the instance to pull updates from GitHub. The default value is 60 seconds.
 1. Optional: Select **Read only** to ensure resources can't be modified in Grafana.
-1. Optional: If you have the Grafana Image Renderer plugin configured, you can **Enable dashboards previews in pull requests**. If image rendering is not available, then you can't select this option. For more information, refer to the [Image Renderer service](https://github.com/grafana/grafana-image-renderer).
+1. Optional: If you have the Grafana Image Renderer plugin configured, you can **Enable dashboards previews in pull requests**. If image rendering isn't available, then you can't select this option. For more information, refer to the [Image Renderer service](https://github.com/grafana/grafana-image-renderer).
 1. Select **Finish** to proceed.
 
+### Modify your configuration after setup is complete
+
+To update your repository configuration after you've completed setup:
+
+1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
+1. Select **Administration** in the left-side menu and then **Provisioning**.
+1. Select **Settings** for the repository you wish to modify.
+1. Use the **Configure repository** screen to update any of the settings.
+1. Select **Save** to preserve the updates.
+
+## Set up Git Sync as code
+
+Alternatively, you can also configure Git Sync using `grafanactl`. Since Git Sync configuration is managed as code using Custom Resource Definitions (CRDs), you can create a Repository CRD in a YAML file and use `grafanactl` to push it to Grafana. This approach enables automated, GitOps-style workflows for managing Git Sync configuration instead of using the Grafana UI.
+
+To set up Git Sync with `grafanactl`, follow these steps:
+
+1. [Create the repository CRD](#create-the-repository-crd)
+1. [Push the repository CRD to Grafana](#push-the-repository-crd-to-grafana)
+1. [Manage repository resources](#manage-repository-resources)
+1. [Verify setup](#verify-setup)
+
+For more information, refer to the following documents:
+
+- [grafanactl Documentation](https://grafana.github.io/grafanactl/)
+- [Repository CRD Reference](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-setup/)
+- [Dashboard CRD Format](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/export-resources/)
+
+### Create the repository CRD
+
+Create a `repository.yaml` file defining your Git Sync configuration:
+
+```yaml
+apiVersion: provisioning.grafana.app/v0alpha1
+kind: Repository
+metadata:
+  name: <REPOSITORY_NAME>
+spec:
+  title: <REPOSITORY_TITLE>
+  type: github
+  github:
+    url: <GITHUB_REPO_URL>
+    branch: <BRANCH>
+    path: grafana/
+    generateDashboardPreviews: true
+  sync:
+    enabled: true
+    intervalSeconds: 60
+    target: folder
+  workflows:
+    - write
+    - branch
+secure:
+  token:
+    create: <GITHUB_PAT>
+```
+
+Replace the placeholders with your values:
+
+- _`<REPOSITORY_NAME>`_: Unique identifier for this repository resource
+- _`<REPOSITORY_TITLE>`_: Human-readable name displayed in Grafana UI
+- _`<GITHUB_REPO_URL>`_: GitHub repository URL
+- _`<BRANCH>`_: Branch to sync
+- _`<GITHUB_PAT>`_: GitHub Personal Access Token
+
+{{< admonition type="note" >}}
+
+Only `target: folder` is currently supported for Git Sync.
+
+{{< /admonition >}}
+
+#### Configuration parameters
+
+The following configuration parameters are available:
+
+| Field                                   | Description                                                 |
+| --------------------------------------- | ----------------------------------------------------------- |
+| `metadata.name`                         | Unique identifier for this repository resource              |
+| `spec.title`                            | Human-readable name displayed in Grafana UI                 |
+| `spec.type`                             | Repository type (`github`)                                  |
+| `spec.github.url`                       | GitHub repository URL                                       |
+| `spec.github.branch`                    | Branch to sync                                              |
+| `spec.github.path`                      | Directory path containing dashboards                        |
+| `spec.github.generateDashboardPreviews` | Generate preview images (true/false)                        |
+| `spec.sync.enabled`                     | Enable synchronization (true/false)                         |
+| `spec.sync.intervalSeconds`             | Sync interval in seconds                                    |
+| `spec.sync.target`                      | Where to place synced dashboards (`folder`)                 |
+| `spec.workflows`                        | Enabled workflows: `write` (direct commits), `branch` (PRs) |
+| `secure.token.create`                   | GitHub Personal Access Token                                |
+
+### Push the repository CRD to Grafana
+
+Before pushing any resources, configure `grafanactl` with your Grafana instance details. Refer to the [grafanactl configuration documentation](https://grafana.github.io/grafanactl/) for setup instructions.
+
+Push the repository configuration:
+
+```sh
+grafanactl resources push --path <DIRECTORY>
+```
+
+The `--path` parameter has to point to the directory containing your `repository.yaml` file.
+
+After pushing, Grafana will:
+
+1. Create the repository resource
+1. Connect to your GitHub repository
+1. Pull dashboards from the specified path
+1. Begin syncing at the configured interval
+
+### Manage repository resources
+
+#### List repositories
+
+To list all repositories:
+
+```sh
+grafanactl resources get repositories
+```
+
+#### Get repository details
+
+To get details for a specific repository:
+
+```sh
+grafanactl resources get repository/<REPOSITORY_NAME>
+grafanactl resources get repository/<REPOSITORY_NAME> -o json
+grafanactl resources get repository/<REPOSITORY_NAME> -o yaml
+```
+
+#### Update the repository
+
+To update a repository:
+
+```sh
+grafanactl resources edit repository/<REPOSITORY_NAME>
+```
+
+#### Delete the repository
+
+To delete a repository:
+
+```sh
+grafanactl resources delete repository/<REPOSITORY_NAME>
+```
+
+### Verify setup
+
+Check that Git Sync is working:
+
+```sh
+# List repositories
+grafanactl resources get repositories
+
+# Check Grafana UI
+# Navigate to: Administration → Provisioning → Git Sync
+```
+
 ## Verify your dashboards in Grafana
 
 To verify that your dashboards are available at the location that you specified, click **Dashboards**. The name of the dashboard is listed in the **Name** column.
 
-Now that your dashboards have been synced from a repository, you can customize the name, change the branch, and create a pull request (PR) for it. Refer to [Manage provisioned repositories with Git Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/observability-as-code/provision-resources/use-git-sync/) for more information.
+Now that your dashboards have been synced from a repository, you can customize the name, change the branch, and create a pull request (PR) for it. Refer to [Manage provisioned repositories with Git Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/use-git-sync/) for more information.
 
-## Configure webhooks and image rendering
+## Extend Git Sync for real-time notification and image rendering
 
-You can extend Git Sync by getting instant updates and pull requests using webhooks and add dashboard previews in pull requests.
+Optionally, you can extend Git Sync by enabling pull request notifications and image previews of dashboard changes.
+
+| Capability                                            | Benefit                                                                        | Requires                               |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------- |
+| Adds a table summarizing changes to your pull request | Provides a convenient way to save changes back to GitHub                       | Webhooks configured                    |
+| Add a dashboard preview image to a PR                 | View a snapshot of dashboard changes to a pull request without opening Grafana | Image renderer and webhooks configured |
 
 ### Set up webhooks for realtime notification and pull request integration
 
@@ -191,25 +332,26 @@ When connecting to a GitHub repository, Git Sync uses webhooks to enable real-ti
 
 You can set up webhooks with whichever service or tooling you prefer. You can use Cloudflare Tunnels with a Cloudflare-managed domain, port-forwarding and DNS options, or a tool such as `ngrok`.
 
-To set up webhooks you need to expose your Grafana instance to the public Internet. You can do this via port forwarding and DNS, a tool such as `ngrok`, or any other method you prefer. The permissions set in your GitHub access token provide the authorization for this communication.
+To set up webhooks, you need to expose your Grafana instance to the public Internet. You can do this via port forwarding and DNS, a tool such as `ngrok`, or any other method you prefer. The permissions set in your GitHub access token provide the authorization for this communication.
 
 After you have the public URL, you can add it to your Grafana configuration file:
 
-```yaml
+```ini
 [server]
-root_url = https://PUBLIC_DOMAIN.HERE
+root_url = https://<PUBLIC_DOMAIN>
 ```
 
+Replace _`<PUBLIC_DOMAIN>`_ with your public domain.
+
 To check the configured webhooks, go to **Administration** > **Provisioning** and click the **View** link for your GitHub repository.
 
 #### Expose necessary paths only
 
-If your security setup does not permit publicly exposing the Grafana instance, you can either choose to `allowlist` the GitHub IP addresses, or expose only the necessary paths.
+If your security setup doesn't permit publicly exposing the Grafana instance, you can either choose to allowlist the GitHub IP addresses, or expose only the necessary paths.
 
 The necessary paths required to be exposed are, in RegExp:
 
 - `/apis/provisioning\.grafana\.app/v0(alpha1)?/namespaces/[^/]+/repositories/[^/]+/(webhook|render/.*)$`
-<!-- TODO: Path for the blob storage for image rendering? @ryantxu would know this best. -->
 
 ### Set up image rendering for dashboard previews
 
@@ -217,12 +359,14 @@ Set up image rendering to add visual previews of dashboard updates directly in p
 
 To enable this capability, install the Grafana Image Renderer in your Grafana instance. For more information and installation instructions, refer to the [Image Renderer service](https://github.com/grafana/grafana-image-renderer).
 
-## Modify configurations after set up is complete
+## Next steps
 
-To update your repository configuration after you've completed set up:
+You've successfully set up Git Sync to manage your Grafana dashboards through version control. Your dashboards are now synchronized with a GitHub repository, enabling collaborative development and change tracking.
 
-1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
-1. Select **Administration** in the left-side menu and then **Provisioning**.
-1. Select **Settings** for the repository you wish to modify.
-1. Use the **Configure repository** screen to update any of the settings.
-1. Select **Save** to preserve the updates.
+To learn more about using Git Sync:
+
+- [Work with provisioned dashboards](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/provisioned-dashboards/)
+- [Manage provisioned repositories with Git Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/use-git-sync/)
+- [Git Sync deployment scenarios](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios)
+- [Export resources](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/export-resources/)
+- [grafanactl documentation](https://grafana.github.io/grafanactl/)

docs/sources/as-code/observability-as-code/provision-resources/intro-git-sync.md

@@ -127,7 +127,13 @@ An instance can be in one of the following Git Sync states:
 
 ## Common use cases
 
-You can use Git Sync in the following scenarios.
+{{< admonition type="note" >}}
+
+Refer to [Git Sync deployment scenarios](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/as-code/observability-as-code/provision-resources/git-sync-deployment-scenarios) for sample scenarios, including architecture and configuration details.
+
+{{< /admonition >}}
+
+You can use Git Sync for the following use cases:
 
 ### Version control and auditing
 

docs/sources/as-code/observability-as-code/provision-resources/use-git-sync.md

@@ -14,7 +14,7 @@ labels:
     - cloud
 title: Manage provisioned repositories with Git Sync
 menuTitle: Manage repositories with Git Sync
-weight: 120
+weight: 400
 canonical: https://grafana.com/docs/grafana/latest/as-code/observability-as-code/provision-resources/use-git-sync/
 aliases:
   - ../../../observability-as-code/provision-resources/use-git-sync/ # /docs/grafana/next/observability-as-code/provision-resources/use-git-sync/

docs/sources/as-code/observability-as-code/schema-v2/links-schema.md

@@ -62,5 +62,6 @@ The table includes default and other fields:
 | targetBlank | bool. If true, the link will be opened in a new tab. Default is `false`. |
 | includeVars | bool. If true, includes current template variables values in the link as query params. Default is `false`. |
 | keepTime    | bool. If true, includes current time range in the link as query params. Default is `false`. |
+| placement?  | string. Use placement to display the link somewhere else on the dashboard other than above the visualizations. Use  the `inControlsMenu` parameter to render the link in the dashboard controls dropdown menu. |
 
 <!-- prettier-ignore-end -->

docs/sources/datasources/azure-monitor/_index.md

@@ -3,7 +3,6 @@ aliases:
   - ../data-sources/azure-monitor/
   - ../features/datasources/azuremonitor/
   - azuremonitor/
-  - azuremonitor/deprecated-application-insights/
 description: Guide for using Azure Monitor in Grafana
 keywords:
   - grafana
@@ -23,6 +22,7 @@ labels:
 menuTitle: Azure Monitor
 title: Azure Monitor data source
 weight: 300
+last_reviewed: 2025-12-04
 refs:
   configure-grafana-feature-toggles:
     - pattern: /docs/grafana/
@@ -49,6 +49,11 @@ refs:
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+  transform-data:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/
   configure-grafana-azure:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
@@ -63,295 +68,98 @@ refs:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
     - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  query-editor-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+  template-variables-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+  alerting-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+  troubleshooting-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+  annotations-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
 ---
 
 # Azure Monitor data source
 
-Grafana ships with built-in support for Azure Monitor, the Azure service to maximize the availability and performance of applications and services in the Azure Cloud.
-This topic explains configuring and querying specific to the Azure Monitor data source.
+The Azure Monitor data source plugin allows you to query and visualize data from Azure Monitor, the Azure service to maximize the availability and performance of applications and services in the Azure Cloud.
 
-For instructions on how to add a data source to Grafana, refer to the [administration documentation](ref:data-source-management).
-Only users with the organization administrator role can add data sources.
+## Supported Azure clouds
 
-Once you've added the Azure Monitor data source, you can [configure it](#configure-the-data-source) so that your Grafana instance's users can create queries in its [query editor](query-editor/) when they [build dashboards](ref:build-dashboards) and use [Explore](ref:explore).
+The Azure Monitor data source supports the following Azure cloud environments:
 
-The Azure Monitor data source supports visualizing data from four Azure services:
+- **Azure** - Azure public cloud (default)
+- **Azure US Government** - Azure Government cloud
+- **Azure China** - Azure China cloud operated by 21Vianet
 
-- **Azure Monitor Metrics:** Collect numeric data from resources in your Azure account.
-- **Azure Monitor Logs:** Collect log and performance data from your Azure account, and query using the Kusto Query Language (KQL).
-- **Azure Resource Graph:** Query your Azure resources across subscriptions.
-- **Azure Monitor Application Insights:** Collect trace logging data and other application performance metrics.
+## Supported Azure services
 
-## Configure the data source
+The Azure Monitor data source supports the following Azure services:
 
-**To access the data source configuration page:**
+| Service                         | Description                                                                                                                 |
+| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| **Azure Monitor Metrics**       | Collect numeric data from resources in your Azure account. Supports dimensions, aggregations, and time grain configuration. |
+| **Azure Monitor Logs**          | Collect log and performance data from your Azure account using the Kusto Query Language (KQL).                              |
+| **Azure Resource Graph**        | Query your Azure resources across subscriptions using KQL. Useful for inventory, compliance, and resource management.       |
+| **Application Insights Traces** | Collect distributed trace data and correlate requests across your application components.                                   |
 
-1. Click **Connections** in the left-side menu.
-1. Under Your connections, click **Data sources**.
-1. Enter `Azure Monitor` in the search bar.
-1. Click **Azure Monitor**.
+## Get started
 
-   The **Settings** tab of the data source is displayed.
+The following documents will help you get started with the Azure Monitor data source:
 
-### Configure Azure Active Directory (AD) authentication
+- [Configure the Azure Monitor data source](ref:configure-azure-monitor) - Set up authentication and connect to Azure
+- [Azure Monitor query editor](ref:query-editor-azure-monitor) - Create and edit queries for Metrics, Logs, Traces, and Resource Graph
+- [Template variables](ref:template-variables-azure-monitor) - Create dynamic dashboards with Azure Monitor variables
+- [Alerting](ref:alerting-azure-monitor) - Create alert rules using Azure Monitor data
+- [Troubleshooting](ref:troubleshooting-azure-monitor) - Solve common configuration and query errors
 
-You must create an app registration and service principal in Azure AD to authenticate the data source.
-For configuration details, refer to the [Azure documentation for service principals](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).
+## Additional features
 
-The app registration you create must have the `Reader` role assigned on the subscription.
-For more information, refer to [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+After you have configured the Azure Monitor data source, you can:
 
-If you host Grafana in Azure, such as in App Service or Azure Virtual Machines, you can configure the Azure Monitor data source to use Managed Identity for secure authentication without entering credentials into Grafana.
-For details, refer to [Configuring using Managed Identity](#configuring-using-managed-identity).
+- Add [Annotations](ref:annotations-azure-monitor) to overlay Azure log events on your graphs.
+- Configure and use [Template variables](ref:template-variables-azure-monitor) for dynamic dashboards.
+- Add [Transformations](ref:transform-data) to manipulate query results.
+- Set up [Alerting](ref:alerting-azure-monitor) and recording rules using Metrics, Logs, Traces, and Resource Graph queries.
+- Use [Explore](ref:explore) to investigate your Azure data without building a dashboard.
 
-You can configure the Azure Monitor data source to use Workload Identity for secure authentication without entering credentials into Grafana if you host Grafana in a Kubernetes environment, such as AKS, and require access to Azure resources.
-For details, refer to [Configuring using Workload Identity](#configuring-using-workload-identity).
+## Pre-built dashboards
 
-| Name                        | Description                                                                                                                                                                                                                                                                                           |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Authentication**          | Enables Managed Identity. Selecting Managed Identity hides many of the other fields. For details, see [Configuring using Managed Identity](#configuring-using-managed-identity).                                                                                                                      |
-| **Azure Cloud**             | Sets the national cloud for your Azure account. For most users, this is the default "Azure". For details, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud).                                                               |
-| **Directory (tenant) ID**   | Sets the directory/tenant ID for the Azure AD app registration to use for authentication. For details, see the [Azure tenant and app ID docs](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).     |
-| **Application (client) ID** | Sets the application/client ID for the Azure AD app registration to use for authentication.                                                                                                                                                                                                           |
-| **Client secret**           | Sets the application client secret for the Azure AD app registration to use for authentication. For details, see the [Azure application secret docs](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret). |
-| **Default subscription**    | _(Optional)_ Sets a default subscription for template variables to use.                                                                                                                                                                                                                               |
-| **Enable Basic Logs**       | Allows this data source to execute queries against [Basic Logs tables](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-query?tabs=portal-1) in supported Log Analytics Workspaces. These queries may incur additional costs.                                                    |
+The Azure Monitor plugin includes the following pre-built dashboards:
 
-### Provision the data source
+- **Azure Monitor Overview** - Displays key metrics across your Azure subscriptions and resources.
+- **Azure Storage Account** - Shows storage account metrics including availability, latency, and transactions.
 
-You can define and configure the data source in YAML files as part of Grafana's provisioning system.
-For more information about provisioning, and for available configuration options, refer to [Provisioning Grafana](ref:provisioning-data-sources).
+To import a pre-built dashboard:
 
-#### Provisioning examples
+1. Go to **Connections** > **Data sources**.
+1. Select your Azure Monitor data source.
+1. Click the **Dashboards** tab.
+1. Click **Import** next to the dashboard you want to use.
 
-**Azure AD App Registration (client secret):**
+## Related resources
 
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: clientsecret
-      cloudName: azuremonitor # See table below
-      tenantId: <tenant-id>
-      clientId: <client-id>
-      subscriptionId: <subscription-id> # Optional, default subscription
-    secureJsonData:
-      clientSecret: <client-secret>
-    version: 1
-```
-
-**Managed Identity:**
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: msi
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-**Workload Identity:**
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: workloadidentity
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-**Current User:**
-
-{{< admonition type="note" >}}
-The `oauthPassThru` property is required for current user authentication to function.
-Additionally, `disableGrafanaCache` is necessary to prevent the data source returning cached responses for resources users don't have access to.
-{{< /admonition >}}
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: currentuser
-      oauthPassThru: true
-      disableGrafanaCache: true
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-#### Supported cloud names
-
-| Azure Cloud                          | `cloudName` Value          |
-| ------------------------------------ | -------------------------- |
-| **Microsoft Azure public cloud**     | `azuremonitor` (_Default_) |
-| **Microsoft Chinese national cloud** | `chinaazuremonitor`        |
-| **US Government cloud**              | `govazuremonitor`          |
-
-{{< admonition type="note" >}}
-Cloud names for current user authentication differ to the `cloudName` values in the preceding table.
-The public cloud name is `AzureCloud`, the Chinese national cloud name is `AzureChinaCloud`, and the US Government cloud name is `AzureUSGovernment`.
-{{< /admonition >}}
-
-### Configure Managed Identity
-
-{{< admonition type="note" >}}
-Managed Identity is available only in [Azure Managed Grafana](https://azure.microsoft.com/en-us/products/managed-grafana) or Grafana OSS/Enterprise when deployed in Azure. It is not available in Grafana Cloud.
-{{< /admonition >}}
-
-You can use managed identity to configure Azure Monitor in Grafana if you host Grafana in Azure (such as an App Service or with Azure Virtual Machines) and have managed identity enabled on your VM.
-This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.
-For details on Azure managed identities, refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
-
-**To enable managed identity for Grafana:**
-
-1. Set the `managed_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-
-   ```ini
-   [azure]
-   managed_identity_enabled = true
-   ```
-
-2. In the Azure Monitor data source configuration, set **Authentication** to **Managed Identity**.
-
-   This hides the directory ID, application ID, and client secret fields, and the data source uses managed identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.
-
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-managed-identity-2.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Managed Identity authentication" >}}
-
-3. You can set the `managed_identity_client_id` field in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure) to allow a user-assigned managed identity to be used instead of the default system-assigned identity.
-
-```ini
-[azure]
-managed_identity_enabled = true
-managed_identity_client_id = USER_ASSIGNED_IDENTITY_CLIENT_ID
-```
-
-### Configure Workload Identity
-
-You can use workload identity to configure Azure Monitor in Grafana if you host Grafana in a Kubernetes environment, such as AKS, in conjunction with managed identities.
-This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.
-For details on workload identity, refer to the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/).
-
-**To enable workload identity for Grafana:**
-
-1. Set the `workload_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-
-   ```ini
-   [azure]
-   workload_identity_enabled = true
-   ```
-
-2. In the Azure Monitor data source configuration, set **Authentication** to **Workload Identity**.
-
-   This hides the directory ID, application ID, and client secret fields, and the data source uses workload identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.
-
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-workload-identity.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Workload Identity authentication" >}}
-
-3. There are additional configuration variables that can control the authentication method.`workload_identity_tenant_id` represents the Azure AD tenant that contains the managed identity, `workload_identity_client_id` represents the client ID of the managed identity if it differs from the default client ID, `workload_identity_token_file` represents the path to the token file. Refer to the [documentation](https://azure.github.io/azure-workload-identity/docs/) for more information on what values these variables should use, if any.
-
-   ```ini
-   [azure]
-   workload_identity_enabled = true
-   workload_identity_tenant_id = IDENTITY_TENANT_ID
-   workload_identity_client_id = IDENTITY_CLIENT_ID
-   workload_identity_token_file = TOKEN_FILE_PATH
-   ```
-
-### Configure Current User authentication
-
-{{< admonition type="note" >}}
-Current user authentication is an [experimental feature](/docs/release-life-cycle). Engineering and on-call support is not available. Documentation is either limited or not provided outside of code comments. No SLA is provided. Contact Grafana Support to enable this feature in Grafana Cloud. Aspects of Grafana may not work as expected when using this authentication method.
-{{< /admonition >}}
-
-If your Grafana instance is configured with Azure Entra (formerly Active Directory) authentication for login, this authentication method can be used to forward the currently logged in user's credentials to the data source. The users credentials will then be used when requesting data from the data source. For details on how to configure your Grafana instance using Azure Entra refer to the [documentation](ref:configure-grafana-azure-auth).
-
-{{< admonition type="note" >}}
-Additional configuration is required to ensure that the App Registration used to login a user via Azure provides an access token with the permissions required by the data source.
-
-The App Registration must be configured to issue both **Access Tokens** and **ID Tokens**.
-
-1. In the Azure Portal, open the App Registration that requires configuration.
-2. Select **Authentication** in the side menu.
-3. Under **Implicit grant and hybrid flows** check both the **Access tokens** and **ID tokens** boxes.
-4. Save the changes to ensure the App Registration is updated.
-
-The App Registration must also be configured with additional **API Permissions** to provide authenticated users with access to the APIs utilised by the data source.
-
-1. In the Azure Portal, open the App Registration that requires configuration.
-1. Select **API Permissions** in the side menu.
-1. Ensure the `openid`, `profile`, `email`, and `offline_access` permissions are present under the **Microsoft Graph** section. If not, they must be added.
-1. Select **Add a permission** and choose the following permissions. They must be added individually. Refer to the [Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis) for more information.
-   - Select **Azure Service Management** > **Delegated permissions** > `user_impersonation` > **Add permissions**
-   - Select **APIs my organization uses** > Search for **Log Analytics API** and select it > **Delegated permissions** > `Date.Read` > **Add permissions**
-
-Once all permissions have been added, the Azure authentication section in Grafana must be updated. The `scopes` section must be updated to include the `.default` scope to ensure that a token with access to all APIs declared on the App Registration is requested by Grafana. Once updated the scopes value should equal: `.default openid email profile`.
-{{< /admonition >}}
-
-This method of authentication doesn't inherently support all backend functionality as a user's credentials won't be in scope.
-Affected functionality includes alerting, reporting, and recorded queries.
-In order to support backend queries when using a data source configured with current user authentication, you can configure service credentials.
-Also, note that query and resource caching is disabled by default for data sources using current user authentication.
-
-{{< admonition type="note" >}}
-To configure fallback service credentials the [feature toggle](ref:configure-grafana-feature-toggles) `idForwarding` must be set to `true` and `user_identity_fallback_credentials_enabled` must be enabled in the [Azure configuration section](ref:configure-grafana-azure) (enabled by default when `user_identity_enabled` is set to `true`).
-{{< /admonition >}}
-
-Permissions for fallback credentials may need to be broad to appropriately support backend functionality.
-For example, an alerting query created by a user is dependent on their permissions.
-If a user tries to create an alert for a resource that the fallback credentials can't access, the alert will fail.
-
-**To enable current user authentication for Grafana:**
-
-1. Set the `user_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-   By default this will also enable fallback service credentials.
-   If you want to disable service credentials at the instance level set `user_identity_fallback_credentials_enabled` to false.
-
-   ```ini
-   [azure]
-   user_identity_enabled = true
-   ```
-
-1. In the Azure Monitor data source configuration, set **Authentication** to **Current User**.
-   If fallback service credentials are enabled at the instance level, an additional configuration section is visible that you can use to enable or disable using service credentials for this data source.
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-current-user.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Current User authentication" >}}
-
-1. If you want backend functionality to work with this data source, enable service credentials and configure the data source using the most applicable credentials for your circumstances.
-
-## Query the data source
-
-The Azure Monitor data source can query data from Azure Monitor Metrics and Logs, the Azure Resource Graph, and Application Insights Traces. Each source has its own specialized query editor.
-
-For details, see the [query editor documentation](query-editor/).
-
-## Use template variables
-
-Instead of hard-coding details such as server, application, and sensor names in metric queries, you can use variables.
-Grafana lists these variables in dropdown select boxes at the top of the dashboard to help you change the data displayed in your dashboard.
-Grafana refers to such variables as template variables.
-
-For details, see the [template variables documentation](template-variables/).
-
-## Application Insights and Insights Analytics (removed)
-
-Until Grafana v8.0, you could query the same Azure Application Insights data using Application Insights and Insights Analytics.
-
-These queries were deprecated in Grafana v7.5. In Grafana v8.0, Application Insights and Insights Analytics were made read-only in favor of querying this data through Metrics and Logs. These query methods were completely removed in Grafana v9.0.
-
-If you're upgrading from a Grafana version prior to v9.0 and relied on Application Insights and Analytics queries, refer to the [Grafana v9.0 documentation](/docs/grafana/v9.0/datasources/azuremonitor/deprecated-application-insights/) for help migrating these queries to Metrics and Logs queries.
+- [Azure Monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/)
+- [Kusto Query Language (KQL) reference](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/)
+- [Grafana community forum](https://community.grafana.com/)

docs/sources/datasources/azure-monitor/alerting/index.md

@@ -0,0 +1,262 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/alerting/
+description: Set up alerts using Azure Monitor data in Grafana
+keywords:
+  - grafana
+  - azure
+  - monitor
+  - alerting
+  - alerts
+  - metrics
+  - logs
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Alerting
+title: Azure Monitor alerting
+weight: 500
+refs:
+  alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+  alerting-fundamentals:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/
+  create-alert-rule:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+  grafana-managed-recording-rules:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-recording-rules/create-grafana-managed-recording-rules/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-recording-rules/create-grafana-managed-recording-rules/
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+  troubleshoot:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+---
+
+# Azure Monitor alerting
+
+The Azure Monitor data source supports [Grafana Alerting](ref:alerting) and [Grafana-managed recording rules](ref:grafana-managed-recording-rules), allowing you to create alert rules based on Azure metrics, logs, traces, and resource data. You can monitor your Azure environment and receive notifications when specific conditions are met.
+
+## Before you begin
+
+- Ensure you have the appropriate permissions to create alert rules in Grafana.
+- Verify your Azure Monitor data source is configured and working correctly.
+- Familiarize yourself with [Grafana Alerting concepts](ref:alerting-fundamentals).
+- **Important**: Verify your data source uses a supported authentication method. Refer to [Authentication requirements](#authentication-requirements).
+
+## Supported query types for alerting
+
+All Azure Monitor query types support alerting and recording rules:
+
+| Query type           | Use case                                           | Notes                                                    |
+| -------------------- | -------------------------------------------------- | -------------------------------------------------------- |
+| Metrics              | Threshold-based alerts on Azure resource metrics   | Best suited for alerting; returns time-series data       |
+| Logs                 | Alert on log patterns, error counts, or thresholds | Use KQL to aggregate data into numeric values            |
+| Azure Resource Graph | Alert on resource state or configuration changes   | Use count aggregations to return numeric data            |
+| Traces               | Alert on trace data and application performance    | Use aggregations to return numeric values for evaluation |
+
+{{< admonition type="note" >}}
+Alert queries must return numeric data that Grafana can evaluate against a threshold. Queries that return only text or non-numeric data cannot be used directly for alerting.
+{{< /admonition >}}
+
+## Authentication requirements
+
+Alerting and recording rules run as background processes without a user context. This means they require service-level authentication and don't work with all authentication methods.
+
+| Authentication method            | Supported                             |
+| -------------------------------- | ------------------------------------- |
+| App Registration (client secret) | ✓                                     |
+| Managed Identity                 | ✓                                     |
+| Workload Identity                | ✓                                     |
+| Current User                     | ✓ (with fallback service credentials) |
+
+{{< admonition type="note" >}}
+If you use **Current User** authentication, you must configure **fallback service credentials** for alerting and recording rules to function. User credentials aren't available for background operations, so Grafana uses the fallback credentials instead. Refer to [configure the data source](ref:configure-azure-monitor) for details on setting up fallback credentials.
+{{< /admonition >}}
+
+## Create an alert rule
+
+To create an alert rule using Azure Monitor data:
+
+1. Go to **Alerting** > **Alert rules**.
+1. Click **New alert rule**.
+1. Enter a name for your alert rule.
+1. In the **Define query and alert condition** section:
+   - Select your Azure Monitor data source.
+   - Configure your query (for example, a Metrics query for CPU usage or a Logs query using KQL).
+   - Add a **Reduce** expression if your query returns multiple series.
+   - Add a **Threshold** expression to define the alert condition.
+1. Configure the **Set evaluation behavior**:
+   - Select or create a folder and evaluation group.
+   - Set the evaluation interval (how often the alert is checked).
+   - Set the pending period (how long the condition must be true before firing).
+1. Add labels and annotations to provide context for notifications.
+1. Click **Save rule**.
+
+For detailed instructions, refer to [Create a Grafana-managed alert rule](ref:create-alert-rule).
+
+## Example: VM CPU usage alert
+
+This example creates an alert that fires when virtual machine CPU usage exceeds 80%:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Metrics
+   - **Resource**: Select your virtual machine
+   - **Metric namespace**: `Microsoft.Compute/virtualMachines`
+   - **Metric**: `Percentage CPU`
+   - **Aggregation**: `Average`
+1. Add expressions:
+   - **Reduce**: Last (to get the most recent data point)
+   - **Threshold**: Is above 80
+1. Set evaluation to run every 1 minute with a 5-minute pending period.
+1. Save the rule.
+
+## Example: Error log count alert
+
+This example alerts when error logs exceed a threshold using a KQL query:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Logs
+   - **Resource**: Select your Log Analytics workspace
+   - **Query**:
+     ```kusto
+     AppExceptions
+     | where TimeGenerated > ago(5m)
+     | summarize ErrorCount = count() by bin(TimeGenerated, 1m)
+     ```
+1. Add expressions:
+   - **Reduce**: Max (to get the highest count in the period)
+   - **Threshold**: Is above 10
+1. Set evaluation to run every 5 minutes.
+1. Save the rule.
+
+## Example: Resource count alert
+
+This example alerts when the number of running virtual machines drops below a threshold using Azure Resource Graph:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Azure Resource Graph
+   - **Subscriptions**: Select your subscriptions
+   - **Query**:
+
+     ```kusto
+     resources
+     | where type == "microsoft.compute/virtualmachines"
+     | where properties.extended.instanceView.powerState.displayStatus == "VM running"
+     | summarize RunningVMs = count()
+     ```
+
+1. Add expressions:
+   - **Reduce**: Last
+   - **Threshold**: Is below 3
+1. Set evaluation to run every 5 minutes.
+1. Save the rule.
+
+## Best practices
+
+Follow these recommendations to create reliable and efficient alerts with Azure Monitor data.
+
+### Use appropriate query intervals
+
+- Set the alert evaluation interval to be greater than or equal to the minimum data resolution from Azure Monitor.
+- Azure Monitor Metrics typically have 1-minute granularity at minimum.
+- Avoid very short intervals (less than 1 minute) as they may cause evaluation timeouts or miss data points.
+
+### Reduce multiple series
+
+When your Azure Monitor query returns multiple time series (for example, CPU usage across multiple VMs), use the **Reduce** expression to aggregate them:
+
+- **Last**: Use the most recent value
+- **Mean**: Average across all series
+- **Max/Min**: Use the highest or lowest value
+- **Sum**: Total across all series
+
+### Optimize Log Analytics queries
+
+For Logs queries used in alerting:
+
+- Use `summarize` to aggregate data into numeric values.
+- Include appropriate time filters using `ago()` or `TimeGenerated`.
+- Avoid returning large result sets; aggregate data in the query.
+- Test queries in Explore before using them in alert rules.
+
+### Handle no data conditions
+
+Configure what happens when no data is returned:
+
+1. In the alert rule, find **Configure no data and error handling**.
+1. Choose an appropriate action:
+   - **No Data**: Keep the alert in its current state
+   - **Alerting**: Treat no data as an alert condition
+   - **OK**: Treat no data as a healthy state
+
+### Test queries before alerting
+
+Always verify your query returns expected data before creating an alert:
+
+1. Go to **Explore**.
+1. Select your Azure Monitor data source.
+1. Run the query you plan to use for alerting.
+1. Confirm the data format and values are correct.
+1. Verify the query returns numeric data suitable for threshold evaluation.
+
+## Troubleshooting
+
+If your Azure Monitor alerts aren't working as expected, use the following sections to diagnose and resolve common issues.
+
+### Alerts not firing
+
+- Verify the data source uses a supported authentication method. If using Current User authentication, ensure fallback service credentials are configured.
+- Check that the query returns numeric data in Explore.
+- Ensure the evaluation interval allows enough time for data to be available.
+- Review the alert rule's health and any error messages in the Alerting UI.
+
+### Authentication errors in alert evaluation
+
+If you see authentication errors when alerts evaluate:
+
+- Confirm the data source is configured with App Registration, Managed Identity, Workload Identity, or Current User with fallback service credentials.
+- If using App Registration, verify the client secret hasn't expired.
+- If using Current User, verify that fallback service credentials are configured and valid.
+- Check that the service principal has appropriate permissions on Azure resources.
+
+### Query timeout errors
+
+- Simplify complex KQL queries.
+- Reduce the time range in Log Analytics queries.
+- Add more specific filters to narrow result sets.
+
+For additional troubleshooting help, refer to [Troubleshoot Azure Monitor](ref:troubleshoot).
+
+## Additional resources
+
+- [Grafana Alerting documentation](ref:alerting)
+- [Create alert rules](ref:create-alert-rule)
+- [Azure Monitor query editor](ref:query-editor)
+- [Grafana-managed recording rules](ref:grafana-managed-recording-rules)

docs/sources/datasources/azure-monitor/annotations/index.md

@@ -0,0 +1,218 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/annotations/
+description: Use annotations with the Azure Monitor data source in Grafana
+keywords:
+  - grafana
+  - azure
+  - monitor
+  - annotations
+  - events
+  - logs
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Annotations
+title: Azure Monitor annotations
+weight: 450
+refs:
+  annotate-visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+  query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+---
+
+# Azure Monitor annotations
+
+[Annotations](ref:annotate-visualizations) overlay rich event information on top of graphs. You can use Azure Monitor Log Analytics queries to create annotations that mark important events, deployments, alerts, or other significant occurrences on your dashboards.
+
+## Before you begin
+
+- Ensure you have configured the Azure Monitor data source.
+- You need access to a Log Analytics workspace containing the data you want to use for annotations.
+- Annotations use Log Analytics (KQL) queries only. Metrics, Traces, and Azure Resource Graph queries are not supported for annotations.
+
+## Create an annotation query
+
+To add an Azure Monitor annotation to a dashboard:
+
+1. Open the dashboard where you want to add annotations.
+1. Click **Dashboard settings** (gear icon) in the top navigation.
+1. Select **Annotations** in the left menu.
+1. Click **Add annotation query**.
+1. Enter a **Name** for the annotation (e.g., "Azure Activity", "Deployments").
+1. Select your **Azure Monitor** data source.
+1. Choose the **Logs** service.
+1. Select a **Resource** (Log Analytics workspace or Application Insights resource).
+1. Write a KQL query that returns the annotation data.
+1. Click **Apply** to save.
+
+## Query requirements
+
+Your KQL query should return columns that Grafana can use to create annotations:
+
+| Column             | Required    | Description                                                                                      |
+| ------------------ | ----------- | ------------------------------------------------------------------------------------------------ |
+| `TimeGenerated`    | Yes         | The timestamp for the annotation. Grafana uses this to position the annotation on the time axis. |
+| `Text`             | Recommended | The annotation text displayed when you hover over or click the annotation.                       |
+| Additional columns | Optional    | Any other columns returned become annotation tags.                                               |
+
+{{< admonition type="note" >}}
+Always include a time filter in your query to limit results to the dashboard's time range. Use the `$__timeFilter()` macro.
+{{< /admonition >}}
+
+## Annotation query examples
+
+The following examples demonstrate common annotation use cases.
+
+### Azure Activity Log events
+
+Display Azure Activity Log events such as resource modifications, deployments, and administrative actions:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where Level == "Error" or Level == "Warning" or CategoryValue == "Administrative"
+| project TimeGenerated, Text=OperationNameValue, Level, ResourceGroup, Caller
+| order by TimeGenerated desc
+| take 100
+```
+
+### Deployment events
+
+Show deployment-related activity:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue contains "deployments"
+| project TimeGenerated, Text=strcat("Deployment: ", OperationNameValue), Status=ActivityStatusValue, ResourceGroup
+| order by TimeGenerated desc
+```
+
+### Application Insights exceptions
+
+Mark application exceptions as annotations:
+
+```kusto
+AppExceptions
+| where $__timeFilter(TimeGenerated)
+| project TimeGenerated, Text=strcat(ProblemId, ": ", OuterMessage), SeverityLevel, AppRoleName
+| order by TimeGenerated desc
+| take 50
+```
+
+### Custom events from Application Insights
+
+Display custom events logged by your application:
+
+```kusto
+AppEvents
+| where $__timeFilter(TimeGenerated)
+| where Name == "DeploymentStarted" or Name == "DeploymentCompleted"
+| project TimeGenerated, Text=Name, AppRoleName
+| order by TimeGenerated desc
+```
+
+### Security alerts
+
+Show security-related alerts:
+
+```kusto
+SecurityAlert
+| where $__timeFilter(TimeGenerated)
+| project TimeGenerated, Text=AlertName, Severity=AlertSeverity, Description
+| order by TimeGenerated desc
+| take 50
+```
+
+### Resource health events
+
+Display resource health status changes:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where CategoryValue == "ResourceHealth"
+| project TimeGenerated, Text=OperationNameValue, Status=ActivityStatusValue, ResourceId
+| order by TimeGenerated desc
+```
+
+### VM start and stop events
+
+Mark virtual machine state changes:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue has_any ("start", "deallocate", "restart")
+| where ResourceProviderValue == "MICROSOFT.COMPUTE"
+| project TimeGenerated, Text=OperationNameValue, VM=Resource, Status=ActivityStatusValue
+| order by TimeGenerated desc
+```
+
+### Autoscale events
+
+Show autoscale operations:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue contains "autoscale"
+| project TimeGenerated, Text=strcat("Autoscale: ", OperationNameValue), Status=ActivityStatusValue, ResourceGroup
+| order by TimeGenerated desc
+```
+
+## Customize annotation appearance
+
+After creating an annotation query, you can customize its appearance:
+
+| Setting       | Description                                                                                              |
+| ------------- | -------------------------------------------------------------------------------------------------------- |
+| **Color**     | Choose a color for the annotation markers. Use different colors to distinguish between annotation types. |
+| **Show in**   | Select which panels display the annotations.                                                             |
+| **Filter by** | Add filters to limit when annotations appear.                                                            |
+
+## Best practices
+
+Follow these recommendations when creating annotations:
+
+1. **Limit results**: Always use `take` or `limit` to restrict the number of annotations. Too many annotations can clutter your dashboard and impact performance.
+
+2. **Use time filters**: Include `$__timeFilter()` to ensure queries only return data within the dashboard's time range.
+
+3. **Create meaningful text**: Use `strcat()` or `project` to create descriptive annotation text that provides context at a glance.
+
+4. **Add relevant tags**: Include columns like `ResourceGroup`, `Severity`, or `Status` that become clickable tags for filtering.
+
+5. **Use descriptive names**: Name your annotations clearly (e.g., "Production Deployments", "Critical Alerts") so dashboard users understand what they represent.
+
+## Troubleshoot annotations
+
+If annotations aren't appearing as expected, try the following solutions.
+
+### Annotations don't appear
+
+- Verify the query returns data in the selected time range.
+- Check that the query includes a `TimeGenerated` column.
+- Test the query in the Azure Portal Log Analytics query editor.
+- Ensure the annotation is enabled (toggle is on).
+
+### Too many annotations
+
+- Add more specific filters to your query.
+- Use `take` to limit results.
+- Narrow the time range.
+
+### Annotations appear at wrong times
+
+- Verify the `TimeGenerated` column contains the correct timestamp.
+- Check your dashboard's timezone settings.

docs/sources/datasources/azure-monitor/configure/index.md

@@ -0,0 +1,605 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/configure/
+description: Guide for configuring the Azure Monitor data source in Grafana.
+keywords:
+  - grafana
+  - microsoft
+  - azure
+  - monitor
+  - application
+  - insights
+  - log
+  - analytics
+  - guide
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Configure
+title: Configure the Azure Monitor data source
+weight: 200
+last_reviewed: 2025-12-04
+refs:
+  configure-grafana-feature-toggles:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#feature_toggles
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#feature_toggles
+  provisioning-data-sources:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
+  explore:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+  configure-grafana-azure-auth:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+  build-dashboards:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+  configure-grafana-azure:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
+  data-source-management:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
+  configure-grafana-azure-auth-scopes:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+  data-sources:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/
+  private-data-source-connect:
+    - pattern: /docs/grafana/
+      destination: docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+    - pattern: /docs/grafana-cloud/
+      destination: docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+  configure-pdc:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc
+---
+
+# Configure the Azure Monitor data source
+
+This document explains how to configure the Azure Monitor data source and the available configuration options.
+For general information about data sources, refer to [Grafana data sources](ref:data-sources) and [Data source management](ref:data-source-management).
+
+## Before you begin
+
+Before configuring the Azure Monitor data source, ensure you have the following:
+
+- **Grafana permissions:** You must have the `Organization administrator` role to configure data sources.
+  Organization administrators can also [configure the data source via YAML](#provision-the-data-source) with the Grafana provisioning system or [using Terraform](#configure-with-terraform).
+
+- **Azure prerequisites:** Depending on your chosen authentication method, you may need:
+  - A Microsoft Entra ID (formerly Azure AD) app registration with a service principal (for App Registration authentication)
+  - A Managed Identity enabled on your Azure VM or App Service (for Managed Identity authentication)
+  - Workload identity configured in your Kubernetes cluster (for Workload Identity authentication)
+  - Microsoft Entra ID authentication configured for Grafana login (for Current User authentication)
+
+{{< admonition type="note" >}}
+**Grafana Cloud users:** Managed Identity and Workload Identity authentication methods are not available in Grafana Cloud because they require Grafana to run on your Azure infrastructure. Use **App Registration** authentication instead.
+{{< /admonition >}}
+
+- **Azure RBAC permissions:** The identity used to authenticate must have the `Reader` role on the Azure subscription containing the resources you want to monitor.
+  For Log Analytics queries, the identity also needs appropriate permissions on the Log Analytics workspaces to be queried.
+  Refer to the [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+
+{{< admonition type="note" >}}
+The Azure Monitor data source plugin is built into Grafana. No additional installation is required.
+{{< /admonition >}}
+
+## Add the data source
+
+To add the Azure Monitor data source:
+
+1. Click **Connections** in the left-side menu.
+1. Click **Add new connection**.
+1. Type `Azure Monitor` in the search bar.
+1. Select **Azure Monitor**.
+1. Click **Add new data source** in the upper right.
+
+You're taken to the **Settings** tab where you can configure the data source.
+
+## Choose an authentication method
+
+The Azure Monitor data source supports four authentication methods. Choose based on where Grafana is hosted and your security requirements:
+
+| Authentication method | Best for                                   | Requirements                                                   |
+| --------------------- | ------------------------------------------ | -------------------------------------------------------------- |
+| **App Registration**  | Any Grafana deployment                     | Microsoft Entra ID app registration with client secret         |
+| **Managed Identity**  | Grafana hosted in Azure (VMs, App Service) | Managed identity enabled on the Azure resource                 |
+| **Workload Identity** | Grafana in Kubernetes (AKS)                | Workload identity federation configured                        |
+| **Current User**      | User-level access control                  | Microsoft Entra ID authentication configured for Grafana login |
+
+## Configure authentication
+
+Select one of the following authentication methods and complete the configuration.
+
+### App Registration
+
+Use a Microsoft Entra ID app registration (service principal) to authenticate. This method works with any Grafana deployment.
+
+#### App Registration prerequisites
+
+1. Create an app registration in Microsoft Entra ID.
+   Refer to the [Azure documentation for creating a service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).
+
+1. Create a client secret for the app registration.
+   Refer to the [Azure documentation for creating a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
+
+1. Assign the `Reader` role to the app registration on the subscription or resources you want to monitor.
+   Refer to the [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+
+#### App Registration UI configuration
+
+| Setting                     | Description                                                                                                                                |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Authentication**          | Select **App Registration**.                                                                                                               |
+| **Azure Cloud**             | The Azure environment to connect to. Select **Azure** for the public cloud, or choose Azure Government or Azure China for national clouds. |
+| **Directory (tenant) ID**   | The GUID that identifies your Microsoft Entra ID tenant.                                                                                   |
+| **Application (client) ID** | The GUID for the app registration you created.                                                                                             |
+| **Client secret**           | The secret key for the app registration. Keep this secure and rotate periodically.                                                         |
+| **Default Subscription**    | Click **Load Subscriptions** to populate available subscriptions, then select your default.                                                |
+
+#### Provision App Registration with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: clientsecret
+      cloudName: azuremonitor # See supported cloud names below
+      tenantId: <tenant-id>
+      clientId: <client-id>
+      subscriptionId: <subscription-id> # Optional, default subscription
+    secureJsonData:
+      clientSecret: <client-secret>
+    version: 1
+```
+
+### Managed Identity
+
+Use Azure Managed Identity for secure, credential-free authentication when Grafana is hosted in Azure.
+
+{{< admonition type="note" >}}
+Managed Identity is available in [Azure Managed Grafana](https://azure.microsoft.com/en-us/products/managed-grafana) or self-hosted Grafana deployed in Azure. It is not available in Grafana Cloud.
+{{< /admonition >}}
+
+#### Managed Identity prerequisites
+
+- Grafana must be hosted in Azure (App Service, Azure VMs, or Azure Managed Grafana).
+- Managed identity must be enabled on the Azure resource hosting Grafana.
+- The managed identity must have the `Reader` role on the subscription or resources you want to monitor.
+
+For details on Azure managed identities, refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
+
+#### Managed Identity Grafana server configuration
+
+Enable managed identity in the Grafana server configuration:
+
+```ini
+[azure]
+managed_identity_enabled = true
+```
+
+To use a user-assigned managed identity instead of the system-assigned identity, also set:
+
+```ini
+[azure]
+managed_identity_enabled = true
+managed_identity_client_id = <USER_ASSIGNED_IDENTITY_CLIENT_ID>
+```
+
+Refer to [Grafana Azure configuration](ref:configure-grafana-azure) for more details.
+
+#### Managed Identity UI configuration
+
+| Setting                  | Description                                                                                         |
+| ------------------------ | --------------------------------------------------------------------------------------------------- |
+| **Authentication**       | Select **Managed Identity**. The directory ID, application ID, and client secret fields are hidden. |
+| **Default Subscription** | Click **Load Subscriptions** to populate available subscriptions, then select your default.         |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-managed-identity-2.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Managed Identity" >}}
+
+#### Provision Managed Identity with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: msi
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+### Workload Identity
+
+Use Azure Workload Identity for secure authentication in Kubernetes environments like AKS.
+
+#### Workload Identity prerequisites
+
+- Grafana must be running in a Kubernetes environment with workload identity federation configured.
+- The workload identity must have the `Reader` role on the subscription or resources you want to monitor.
+
+For details, refer to the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/).
+
+#### Workload Identity Grafana server configuration
+
+Enable workload identity in the Grafana server configuration:
+
+```ini
+[azure]
+workload_identity_enabled = true
+```
+
+Optional configuration variables:
+
+```ini
+[azure]
+workload_identity_enabled = true
+workload_identity_tenant_id = <IDENTITY_TENANT_ID>    # Microsoft Entra ID tenant containing the managed identity
+workload_identity_client_id = <IDENTITY_CLIENT_ID>    # Client ID if different from default
+workload_identity_token_file = <TOKEN_FILE_PATH>      # Path to the token file
+```
+
+Refer to [Grafana Azure configuration](ref:configure-grafana-azure) and the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/) for more details.
+
+#### Workload Identity UI configuration
+
+| Setting                  | Description                                                                                          |
+| ------------------------ | ---------------------------------------------------------------------------------------------------- |
+| **Authentication**       | Select **Workload Identity**. The directory ID, application ID, and client secret fields are hidden. |
+| **Default Subscription** | Click **Load Subscriptions** to populate available subscriptions, then select your default.          |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-workload-identity.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Workload Identity" >}}
+
+#### Provision Workload Identity with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: workloadidentity
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+### Current User
+
+Forward the logged-in Grafana user's Azure credentials to the data source for user-level access control.
+
+{{< admonition type="warning" >}}
+Current User authentication is an [experimental feature](/docs/release-life-cycle/). Engineering and on-call support is not available. Documentation is limited. No SLA is provided. Contact Grafana Support to enable this feature in Grafana Cloud.
+{{< /admonition >}}
+
+#### Current User prerequisites
+
+Your Grafana instance must be configured with Microsoft Entra ID authentication. Refer to the [Microsoft Entra ID authentication documentation](ref:configure-grafana-azure-auth).
+
+#### Configure your Azure App Registration
+
+The App Registration used for Grafana login requires additional configuration:
+
+**Enable token issuance:**
+
+1. In the Azure Portal, open your App Registration.
+1. Select **Authentication** in the side menu.
+1. Under **Implicit grant and hybrid flows**, check both **Access tokens** and **ID tokens**.
+1. Save your changes.
+
+**Add API permissions:**
+
+1. In the Azure Portal, open your App Registration.
+1. Select **API Permissions** in the side menu.
+1. Ensure these permissions are present under **Microsoft Graph**: `openid`, `profile`, `email`, and `offline_access`.
+1. Add the following permissions:
+   - **Azure Service Management** > **Delegated permissions** > `user_impersonation`
+   - **APIs my organization uses** > Search for **Log Analytics API** > **Delegated permissions** > `Data.Read`
+
+Refer to the [Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis) for more information.
+
+**Update Grafana scopes:**
+
+Update the `scopes` section in your Grafana Azure authentication configuration to include the `.default` scope:
+
+```
+.default openid email profile
+```
+
+#### Current User Grafana server configuration
+
+Enable current user authentication in the Grafana server configuration:
+
+```ini
+[azure]
+user_identity_enabled = true
+```
+
+By default, this also enables fallback service credentials. To disable fallback credentials at the instance level:
+
+```ini
+[azure]
+user_identity_enabled = true
+user_identity_fallback_credentials_enabled = false
+```
+
+{{< admonition type="note" >}}
+To use fallback service credentials, the [feature toggle](ref:configure-grafana-feature-toggles) `idForwarding` must be set to `true`.
+{{< /admonition >}}
+
+#### Limitations and fallback credentials
+
+Current User authentication doesn't support backend functionality like alerting, reporting, and recorded queries because user credentials aren't available for background operations.
+
+To support these features, configure **fallback service credentials**. When enabled, Grafana uses the fallback credentials for backend operations. Note that operations using fallback credentials are limited to the permissions of those credentials, not the user's permissions.
+
+{{< admonition type="note" >}}
+Query and resource caching is disabled by default for data sources using Current User authentication.
+{{< /admonition >}}
+
+#### Current User UI configuration
+
+| Setting                          | Description                                                                                 |
+| -------------------------------- | ------------------------------------------------------------------------------------------- |
+| **Authentication**               | Select **Current User**.                                                                    |
+| **Default Subscription**         | Click **Load Subscriptions** to populate available subscriptions, then select your default. |
+| **Fallback Service Credentials** | Enable and configure credentials for backend features like alerting.                        |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-current-user.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Current User authentication" >}}
+
+#### Provision Current User with YAML
+
+{{< admonition type="note" >}}
+The `oauthPassThru` property is required for Current User authentication. The `disableGrafanaCache` property prevents returning cached responses for resources users don't have access to.
+{{< /admonition >}}
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: currentuser
+      oauthPassThru: true
+      disableGrafanaCache: true
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+## Additional configuration options
+
+These settings apply to all authentication methods.
+
+### General settings
+
+| Setting     | Description                                                                     |
+| ----------- | ------------------------------------------------------------------------------- |
+| **Name**    | The data source name used in panels and queries. Example: `azure-monitor-prod`. |
+| **Default** | Toggle to make this the default data source for new panels.                     |
+
+### Enable Basic Logs
+
+Toggle **Enable Basic Logs** to allow queries against [Basic Logs tables](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-query?tabs=portal-1) in supported Log Analytics Workspaces.
+
+{{< admonition type="note" >}}
+Querying Basic Logs tables incurs additional costs on a per-query basis.
+{{< /admonition >}}
+
+### Private data source connect (Grafana Cloud only)
+
+If you're using Grafana Cloud and need to connect to Azure resources in a private network, use Private Data Source Connect (PDC).
+
+1. Click the **Private data source connect** dropdown to select your PDC configuration.
+1. Click **Manage private data source connect** to view your PDC connection details.
+
+For more information, refer to [Private data source connect](ref:private-data-source-connect) and [Configure PDC](ref:configure-pdc).
+
+## Supported cloud names
+
+When provisioning the data source, use the following `cloudName` values:
+
+| Azure Cloud                      | `cloudName` value        |
+| -------------------------------- | ------------------------ |
+| Microsoft Azure public cloud     | `azuremonitor` (default) |
+| Microsoft Chinese national cloud | `chinaazuremonitor`      |
+| US Government cloud              | `govazuremonitor`        |
+
+{{< admonition type="note" >}}
+For Current User authentication, the cloud names differ: use `AzureCloud` for public cloud, `AzureChinaCloud` for the Chinese national cloud, and `AzureUSGovernment` for the US Government cloud.
+{{< /admonition >}}
+
+## Verify the connection
+
+After configuring the data source, click **Save & test**. A successful connection displays a message confirming that the credentials are valid and have access to the configured default subscription.
+
+If the test fails, verify:
+
+- Your credentials are correct (tenant ID, client ID, client secret)
+- The identity has the required Azure RBAC permissions
+- For Managed Identity or Workload Identity, that the Grafana server configuration is correct
+- Network connectivity to Azure endpoints
+
+## Provision the data source
+
+You can define and configure the Azure Monitor data source in YAML files as part of the Grafana provisioning system.
+For more information about provisioning, refer to [Provisioning Grafana](ref:provisioning-data-sources).
+
+### Provision quick reference
+
+| Authentication method | `azureAuthType` value | Required fields                                    |
+| --------------------- | --------------------- | -------------------------------------------------- |
+| App Registration      | `clientsecret`        | `tenantId`, `clientId`, `clientSecret`             |
+| Managed Identity      | `msi`                 | None (uses VM identity)                            |
+| Workload Identity     | `workloadidentity`    | None (uses pod identity)                           |
+| Current User          | `currentuser`         | `oauthPassThru: true`, `disableGrafanaCache: true` |
+
+All methods support the optional `subscriptionId` field to set a default subscription.
+
+For complete YAML examples, see the [authentication method sections](#configure-authentication) above.
+
+## Configure with Terraform
+
+You can configure the Azure Monitor data source using the [Grafana Terraform provider](https://registry.terraform.io/providers/grafana/grafana/latest/docs). This approach enables infrastructure-as-code workflows and version control for your Grafana configuration.
+
+### Terraform prerequisites
+
+- [Terraform](https://www.terraform.io/downloads) installed
+- Grafana Terraform provider configured with appropriate credentials
+- For Grafana Cloud: A [Cloud Access Policy token](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) with data source permissions
+
+### Provider configuration
+
+Configure the Grafana provider to connect to your Grafana instance:
+
+```hcl
+terraform {
+  required_providers {
+    grafana = {
+      source  = "grafana/grafana"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+# For Grafana Cloud
+provider "grafana" {
+  url  = "<YOUR_GRAFANA_CLOUD_STACK_URL>"
+  auth = "<YOUR_SERVICE_ACCOUNT_TOKEN>"
+}
+
+# For self-hosted Grafana
+# provider "grafana" {
+#   url  = "http://localhost:3000"
+#   auth = "<API_KEY_OR_SERVICE_ACCOUNT_TOKEN>"
+# }
+```
+
+### Terraform examples
+
+The following examples show how to configure the Azure Monitor data source for each authentication method.
+
+**App Registration (client secret):**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "clientsecret"
+    cloudName      = "azuremonitor"
+    tenantId       = "<TENANT_ID>"
+    clientId       = "<CLIENT_ID>"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+
+  secure_json_data_encoded = jsonencode({
+    clientSecret = "<CLIENT_SECRET>"
+  })
+}
+```
+
+**Managed Identity:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "msi"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**Workload Identity:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "workloadidentity"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**Current User:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType       = "currentuser"
+    oauthPassThru       = true
+    disableGrafanaCache = true
+    subscriptionId      = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**With Basic Logs enabled:**
+
+Add `enableBasicLogs = true` to any of the above configurations:
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType   = "clientsecret"
+    cloudName       = "azuremonitor"
+    tenantId        = "<TENANT_ID>"
+    clientId        = "<CLIENT_ID>"
+    subscriptionId  = "<SUBSCRIPTION_ID>"
+    enableBasicLogs = true
+  })
+
+  secure_json_data_encoded = jsonencode({
+    clientSecret = "<CLIENT_SECRET>"
+  })
+}
+```
+
+For more information about the Grafana Terraform provider, refer to the [provider documentation](https://registry.terraform.io/providers/grafana/grafana/latest/docs) and the [grafana_data_source resource](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/data_source).

docs/sources/datasources/azure-monitor/query-editor/index.md

@@ -21,6 +21,7 @@ labels:
 menuTitle: Query editor
 title: Azure Monitor query editor
 weight: 300
+last_reviewed: 2025-12-04
 refs:
   query-transform-data-query-options:
     - pattern: /docs/grafana/
@@ -32,30 +33,85 @@ refs:
       destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  explore:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+  troubleshoot-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+  configure-grafana-feature-toggles:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/
+  template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+  alerting-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+  annotations-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
 ---
 
 # Azure Monitor query editor
 
-This topic explains querying specific to the Azure Monitor data source.
-For general documentation on querying data sources in Grafana, see [Query and transform data](ref:query-transform-data).
+Grafana provides a query editor for the Azure Monitor data source, which is located on the [Explore page](ref:explore). You can also access the Azure Monitor query editor from a dashboard panel. Click the menu in the upper right of the panel and select **Edit**.
 
-## Choose a query editing mode
+This document explains querying specific to the Azure Monitor data source.
+For general documentation on querying data sources in Grafana, refer to [Query and transform data](ref:query-transform-data).
 
-The Azure Monitor data source's query editor has three modes depending on which Azure service you want to query:
+The Azure Monitor data source can query data from Azure Monitor Metrics and Logs, the Azure Resource Graph, and Application Insights Traces. Each source has its own specialized query editor.
+
+## Before you begin
+
+- Ensure you have [configured the Azure Monitor data source](ref:configure-azure-monitor).
+- Verify your credentials have appropriate permissions for the resources you want to query.
+
+## Key concepts
+
+If you're new to Azure Monitor, here are some key terms used throughout this documentation:
+
+| Term                           | Description                                                                                                                                                                                                                                                                                                                               |
+| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **KQL (Kusto Query Language)** | The query language used for Azure Monitor Logs and Azure Resource Graph. KQL uses a pipe-based syntax similar to Unix commands and is optimized for read-only data exploration. If you know SQL, the [SQL to Kusto cheat sheet](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet) can help you get started. |
+| **Log Analytics workspace**    | An Azure resource that collects and stores log data from your Azure resources, applications, and services. You query this data using KQL.                                                                                                                                                                                                 |
+| **Application Insights**       | Azure's application performance monitoring (APM) service. It collects telemetry data like requests, exceptions, and traces from your applications.                                                                                                                                                                                        |
+| **Metrics vs. Logs**           | **Metrics** are lightweight numeric values collected at regular intervals (e.g., CPU percentage). **Logs** are detailed records of events with varying schemas (e.g., request logs, error messages). Metrics use a visual query builder; Logs require KQL.                                                                                |
+
+## Choose a query editor mode
+
+The Azure Monitor data source's query editor has four modes depending on which Azure service you want to query:
 
 - **Metrics** for [Azure Monitor Metrics](#query-azure-monitor-metrics)
 - **Logs** for [Azure Monitor Logs](#query-azure-monitor-logs)
-- [**Azure Resource Graph**](#query-azure-resource-graph)
 - **Traces** for [Application Insights Traces](#query-application-insights-traces)
+- **Azure Resource Graph** for [Azure Resource Graph](#query-azure-resource-graph)
 
 ## Query Azure Monitor Metrics
 
-Azure Monitor Metrics collects numeric data from [supported resources](https://docs.microsoft.com/en-us/azure/azure-monitor/monitor-reference), and you can query them to investigate your resources' health and usage and maximise availability and performance.
+Azure Monitor Metrics collects numeric data from [supported resources](https://docs.microsoft.com/en-us/azure/azure-monitor/monitor-reference), and you can query them to investigate your resources' health and usage and maximize availability and performance.
 
 Monitor Metrics use a lightweight format that stores only numeric data in a specific structure and supports near real-time scenarios, making it useful for fast detection of issues.
 In contrast, Azure Monitor Logs can store a variety of data types, each with their own structure.
 
-{{< figure src="/static/img/docs/azure-monitor/query-editor-metrics.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Logs Metrics sample query visualizing CPU percentage over time" >}}
+{{< figure src="/static/img/docs/azure-monitor/query-editor-metrics.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor Metrics sample query visualizing CPU percentage over time" >}}
 
 ### Create a Metrics query
 
@@ -85,7 +141,7 @@ Optionally, you can apply further aggregations or filter by dimensions.
 
 The available options change depending on what is relevant to the selected metric.
 
-You can also augment queries by using [template variables](../template-variables/).
+You can also augment queries by using [template variables](ref:template-variables).
 
 ### Format legend aliases
 
@@ -109,7 +165,7 @@ For example:
 | `{{ dimensionname }}`          | _(Legacy for backward compatibility)_ Replaced with the name of the first dimension.                   |
 | `{{ dimensionvalue }}`         | _(Legacy for backward compatibility)_ Replaced with the value of the first dimension.                  |
 
-### Filter using dimensions
+### Filter with dimensions
 
 Some metrics also have dimensions, which associate additional metadata.
 Dimensions are represented as key-value pairs assigned to each value of a metric.
@@ -121,7 +177,7 @@ For more information on multi-dimensional metrics, refer to the [Azure Monitor d
 
 ## Query Azure Monitor Logs
 
-Azure Monitor Logs collects and organises log and performance data from [supported resources](https://docs.microsoft.com/en-us/azure/azure-monitor/monitor-reference), and makes many sources of data available to query together with the [Kusto Query Language (KQL)](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/).
+Azure Monitor Logs collects and organizes log and performance data from [supported resources](https://docs.microsoft.com/en-us/azure/azure-monitor/monitor-reference), and makes many sources of data available to query together with the [Kusto Query Language (KQL)](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/).
 
 While Azure Monitor Metrics stores only simplified numerical data, Logs can store different data types, each with their own structure.
 You can also perform complex analysis of Logs data by using KQL.
@@ -130,6 +186,32 @@ The Azure Monitor data source also supports querying of [Basic Logs](https://lea
 
 {{< figure src="/static/img/docs/azure-monitor/query-editor-logs.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor Logs sample query comparing successful requests to failed requests" >}}
 
+### Logs query builder (public preview)
+
+{{< admonition type="note" >}}
+The Logs query builder is a [public preview feature](/docs/release-life-cycle/). It may not be enabled in all Grafana environments.
+{{< /admonition >}}
+
+The Logs query builder provides a visual interface for building Azure Monitor Logs queries without writing KQL. This is helpful if you're new to KQL or want to quickly build simple queries.
+
+**To enable the Logs query builder:**
+
+1. Enable the `azureMonitorLogsBuilderEditor` [feature toggle](ref:configure-grafana-feature-toggles) in your Grafana configuration.
+1. Restart Grafana for the change to take effect.
+
+**To switch between Builder and Code modes:**
+
+When the feature is enabled, a **Builder / Code** toggle appears in the Logs query editor:
+
+- **Builder**: Use the visual interface to select tables, columns, filters, and aggregations. The builder generates the KQL query for you.
+- **Code**: Write KQL queries directly. Use this mode for complex queries that require full KQL capabilities.
+
+New queries default to Builder mode. Existing queries that were created with raw KQL remain in Code mode.
+
+{{< admonition type="note" >}}
+You can switch from Builder to Code mode at any time to view or edit the generated KQL. However, switching from Code to Builder mode may not preserve complex queries that can't be represented in the builder interface.
+{{< /admonition >}}
+
 ### Create a Logs query
 
 **To create a Logs query:**
@@ -140,13 +222,13 @@ The Azure Monitor data source also supports querying of [Basic Logs](https://lea
 
    Alternatively, you can dynamically query all resources under a single resource group or subscription.
    {{< admonition type="note" >}}
-   If a timespan is specified in the query, the overlap of the timespan between the query and the dashboard will be used as the query timespan. See the [API documentation for
+   If a time span is specified in the query, the overlap between the query time span and the dashboard time range will be used. See the [API documentation for
    details.](https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP#uri-parameters)
    {{< /admonition >}}
 
 1. Enter your KQL query.
 
-You can also augment queries by using [template variables](../template-variables/).
+You can also augment queries by using [template variables](ref:template-variables).
 
 **To create a Basic Logs query:**
 
@@ -161,7 +243,7 @@ You can also augment queries by using [template variables](../template-variables
    {{< /admonition >}}
 1. Enter your KQL query.
 
-You can also augment queries by using [template variables](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/).
+You can also augment queries by using [template variables](ref:template-variables).
 
 ### Logs query examples
 
@@ -174,24 +256,28 @@ The Azure documentation includes resources to help you learn KQL:
 - [Tutorial: Use Kusto queries in Azure Monitor](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor)
 - [SQL to Kusto cheat sheet](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet)
 
-> **Time-range:** The time-range that will be used for the query can be modified via the time-range switch. Selecting `Query` will only make use of time-ranges specified within the query.
-> Specifying `Dashboard` will only make use of the Grafana time-range.
-> If there are no time-ranges specified within the query, the default Log Analytics time-range will apply.
-> For more details on this change, refer to the [Azure Monitor Logs API documentation](https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP#uri-parameters).
-> If the `Intersection` option was previously chosen it will be migrated by default to `Dashboard`.
+{{< admonition type="note" >}}
+**Time-range:** The time-range used for the query can be modified via the time-range switch:
 
-This example query returns a virtual machine's CPU performance, averaged over 5ms time grains:
+- Selecting **Query** uses only time-ranges specified within the query.
+- Selecting **Dashboard** uses only the Grafana dashboard time-range.
+- If no time-range is specified in the query, the default Log Analytics time-range applies.
+
+For more details, refer to the [Azure Monitor Logs API documentation](https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP#uri-parameters). If you previously used the `Intersection` option, it has been migrated to `Dashboard`.
+{{< /admonition >}}
+
+This example query returns a virtual machine's CPU performance, averaged over 5-minute time grains:
 
 ```kusto
 Perf
-# $__timeFilter is a special Grafana macro that filters the results to the time span of the dashboard
+// $__timeFilter is a special Grafana macro that filters the results to the time span of the dashboard
 | where $__timeFilter(TimeGenerated)
 | where CounterName == "% Processor Time"
 | summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer
 | order by TimeGenerated asc
 ```
 
-Use time series queries for values that change over time, usually for graph visualisations such as the Time series panel.
+Use time series queries for values that change over time, usually for graph visualizations such as the Time series panel.
 Each query should return at least a datetime column and numeric value column.
 The result must also be sorted in ascending order by the datetime column.
 
@@ -357,21 +443,33 @@ Application Insights stores trace data in an underlying Log Analytics workspace
    This query type only supports Application Insights resources.
    {{< /admonition >}}
 
-Running a query of this kind will return all trace data within the timespan specified by the panel/dashboard.
+1. (Optional) Specify an **Operation ID** value to filter traces.
+1. (Optional) Specify **event types** to filter by.
+1. (Optional) Specify **event properties** to filter by.
+1. (Optional) Change the **Result format** to switch between tabular format and trace format.
 
-Optionally, you can apply further filtering or select a specific Operation ID to query. The result format can also be switched between a tabular format or the trace format which will return the data in a format that can be used with the Trace visualization.
+   {{< admonition type="note" >}}
+   Selecting the trace format filters events to only the `trace` type. Use this format with the Trace visualization.
+   {{< /admonition >}}
 
-{{< admonition type="note" >}}
-Selecting the trace format will filter events with the `trace` type.
-{{< /admonition >}}
+Running a query returns all trace data within the time span specified by the panel or dashboard time range.
 
-1. Specify an Operation ID value.
-1. Specify event types to filter by.
-1. Specify event properties to filter by.
+You can also augment queries by using [template variables](ref:template-variables).
 
-You can also augment queries by using [template variables](../template-variables/).
+## Use queries for alerting and recording rules
 
-## Working with large Azure resource data sets
+All Azure Monitor query types (Metrics, Logs, Azure Resource Graph, and Traces) can be used with Grafana Alerting and recording rules.
+
+For detailed information about creating alert rules, supported query types, authentication requirements, and examples, refer to [Azure Monitor alerting](ref:alerting-azure-monitor).
+
+## Work with large Azure resource datasets
 
 If a request exceeds the [maximum allowed value of records](https://docs.microsoft.com/en-us/azure/governance/resource-graph/concepts/work-with-data#paging-results), the result is paginated and only the first page of results are returned.
 You can use filters to reduce the amount of records returned under that value.
+
+## Next steps
+
+- [Use template variables](../template-variables/) to create dynamic, reusable dashboards
+- [Add annotations](ref:annotations-azure-monitor) to overlay events on your graphs
+- [Set up alerting](ref:alerting-azure-monitor) to create alert rules based on Azure Monitor data
+- [Troubleshoot](ref:troubleshoot-azure-monitor) common query and configuration issues

docs/sources/datasources/azure-monitor/template-variables/index.md

@@ -23,6 +23,7 @@ labels:
 menuTitle: Template variables
 title: Azure Monitor template variables
 weight: 400
+last_reviewed: 2025-12-04
 refs:
   variables:
     - pattern: /docs/grafana/
@@ -34,6 +35,11 @@ refs:
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/add-template-variables/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/add-template-variables/
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
 ---
 
 # Azure Monitor template variables
@@ -42,58 +48,173 @@ Instead of hard-coding details such as resource group or resource name values in
 This helps you create more interactive, dynamic, and reusable dashboards.
 Grafana refers to such variables as template variables.
 
-For an introduction to templating and template variables, refer to the [Templating](ref:variables) and [Add and manage variables](ref:add-template-variables) documentation.
+For an introduction to templating and template variables, refer to the [Templating](ref:variables) and [Add and manage variables](ref:add-template-variables).
 
-## Use query variables
+## Before you begin
 
-You can specify these Azure Monitor data source queries in the Variable edit view's **Query Type** field.
+- Ensure you have [configured the Azure Monitor data source](ref:configure-azure-monitor).
+- If you want template variables to auto-populate subscriptions, set a **Default Subscription** in the data source configuration.
 
-| Name                    | Description                                                                                                                                    |
-| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Subscriptions**       | Returns subscriptions.                                                                                                                         |
-| **Resource Groups**     | Returns resource groups for a specified subscription. Supports multi-value.                                                                    |
-| **Namespaces**          | Returns metric namespaces for the specified subscription. If a resource group is provided, only the namespaces within that group are returned. |
-| **Regions**             | Returns regions for the specified subscription                                                                                                 |
-| **Resource Names**      | Returns a list of resource names for a specified subscription, resource group and namespace. Supports multi-value.                             |
-| **Metric Names**        | Returns a list of metric names for a resource.                                                                                                 |
-| **Workspaces**          | Returns a list of workspaces for the specified subscription.                                                                                   |
-| **Logs**                | Use a KQL query to return values.                                                                                                              |
-| **Custom Namespaces**   | Returns metric namespaces for the specified resource.                                                                                          |
-| **Custom Metric Names** | Returns a list of custom metric names for the specified resource.                                                                              |
+## Create a template variable
+
+To create a template variable for Azure Monitor:
+
+1. Open the dashboard where you want to add the variable.
+1. Click **Dashboard settings** (gear icon) in the top navigation.
+1. Select **Variables** in the left menu.
+1. Click **Add variable**.
+1. Enter a **Name** for your variable (e.g., `subscription`, `resourceGroup`, `resource`).
+1. In the **Type** dropdown, select **Query**.
+1. In the **Data source** dropdown, select your Azure Monitor data source.
+1. In the **Query Type** dropdown, select the appropriate query type (see [Available query types](#available-query-types)).
+1. Configure any additional fields required by the selected query type.
+1. Click **Run query** to preview the variable values.
+1. Configure display options such as **Multi-value** or **Include All option** as needed.
+1. Click **Apply** to save the variable.
+
+## Available query types
+
+The Azure Monitor data source provides the following query types for template variables:
+
+| Query type              | Description                                                                                                                            |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| **Subscriptions**       | Returns a list of Azure subscriptions accessible to the configured credentials.                                                        |
+| **Resource Groups**     | Returns resource groups for a specified subscription. Supports multi-value selection.                                                  |
+| **Namespaces**          | Returns metric namespaces for the specified subscription. If a resource group is specified, returns only namespaces within that group. |
+| **Regions**             | Returns Azure regions available for the specified subscription.                                                                        |
+| **Resource Names**      | Returns resource names for a specified subscription, resource group, and namespace. Supports multi-value selection.                    |
+| **Metric Names**        | Returns available metric names for a specified resource.                                                                               |
+| **Workspaces**          | Returns Log Analytics workspaces for the specified subscription.                                                                       |
+| **Logs**                | Executes a KQL query and returns the results as variable values. See [Create a Logs variable](#create-a-logs-variable).                |
+| **Custom Namespaces**   | Returns custom metric namespaces for a specified resource.                                                                             |
+| **Custom Metric Names** | Returns custom metric names for a specified resource.                                                                                  |
 
 {{< admonition type="note" >}}
-Custom metrics cannot be emitted against a subscription or resource group. Select resources only when you need to retrieve custom metric namespaces or custom metric names associated with a specific resource.
+Custom metrics cannot be emitted against a subscription or resource group. Select specific resources when retrieving custom metric namespaces or custom metric names.
 {{< /admonition >}}
 
-You can use any Log Analytics Kusto Query Language (KQL) query that returns a single list of values in the `Query` field.
-For example:
+## Create cascading variables
 
-| Query                                                                                     | List of values returned                 |
-| ----------------------------------------------------------------------------------------- | --------------------------------------- |
-| `workspace("myWorkspace").Heartbeat \| distinct Computer`                                 | Virtual machines                        |
-| `workspace("$workspace").Heartbeat \| distinct Computer`                                  | Virtual machines with template variable |
-| `workspace("$workspace").Perf \| distinct ObjectName`                                     | Objects from the Perf table             |
-| `workspace("$workspace").Perf \| where ObjectName == "$object"` `\| distinct CounterName` | Metric names from the Perf table        |
+Cascading variables (also called dependent or chained variables) allow you to create dropdown menus that filter based on previous selections. This is useful for drilling down from subscription to resource group to specific resource.
 
-### Query variable example
+### Example: Subscription → Resource Group → Resource Name
 
-This time series query uses query variables:
+**Step 1: Create a Subscription variable**
+
+1. Create a variable named `subscription`.
+1. Set **Query Type** to **Subscriptions**.
+
+**Step 2: Create a Resource Group variable**
+
+1. Create a variable named `resourceGroup`.
+1. Set **Query Type** to **Resource Groups**.
+1. In the **Subscription** field, select `$subscription`.
+
+**Step 3: Create a Resource Name variable**
+
+1. Create a variable named `resource`.
+1. Set **Query Type** to **Resource Names**.
+1. In the **Subscription** field, select `$subscription`.
+1. In the **Resource Group** field, select `$resourceGroup`.
+1. Select the appropriate **Namespace** for your resources (e.g., `Microsoft.Compute/virtualMachines`).
+
+Now when you change the subscription, the resource group dropdown updates automatically, and when you change the resource group, the resource name dropdown updates.
+
+## Create a Logs variable
+
+The **Logs** query type lets you use a KQL query to populate variable values. The query must return a single column of values.
+
+**To create a Logs variable:**
+
+1. Create a new variable with **Query Type** set to **Logs**.
+1. Select a **Resource** (Log Analytics workspace or Application Insights resource).
+1. Enter a KQL query that returns a single column.
+
+### Logs variable query examples
+
+| Query                                     | Returns                               |
+| ----------------------------------------- | ------------------------------------- |
+| `Heartbeat \| distinct Computer`          | List of virtual machine names         |
+| `Perf \| distinct ObjectName`             | List of performance object names      |
+| `AzureActivity \| distinct ResourceGroup` | List of resource groups with activity |
+| `AppRequests \| distinct Name`            | List of application request names     |
+
+You can reference other variables in your Logs query:
+
+```kusto
+workspace("$workspace").Heartbeat | distinct Computer
+```
+
+```kusto
+workspace("$workspace").Perf
+| where ObjectName == "$object"
+| distinct CounterName
+```
+
+## Variable refresh options
+
+Control when your variables refresh by setting the **Refresh** option:
+
+| Option                   | Behavior                                                                                  |
+| ------------------------ | ----------------------------------------------------------------------------------------- |
+| **On dashboard load**    | Variables refresh each time the dashboard loads. Best for data that changes infrequently. |
+| **On time range change** | Variables refresh when the dashboard time range changes. Use for time-sensitive queries.  |
+
+For dashboards with many variables or complex queries, use **On dashboard load** to improve performance.
+
+## Use variables in queries
+
+After you create template variables, you can use them in your Azure Monitor queries by referencing them with the `$` prefix.
+
+### Metrics query example
+
+In a Metrics query, select your variables in the resource picker fields:
+
+- **Subscription**: `$subscription`
+- **Resource Group**: `$resourceGroup`
+- **Resource Name**: `$resource`
+
+### Logs query example
+
+Reference variables directly in your KQL queries:
 
 ```kusto
 Perf
 | where ObjectName == "$object" and CounterName == "$metric"
 | where TimeGenerated >= $__timeFrom() and TimeGenerated <= $__timeTo()
-| where  $__contains(Computer, $computer)
+| where $__contains(Computer, $computer)
 | summarize avg(CounterValue) by bin(TimeGenerated, $__interval), Computer
 | order by TimeGenerated asc
 ```
 
-### Multi-value variables
+## Multi-value variables
 
-It is possible to select multiple values for **Resource Groups** and **Resource Names** and use a single metrics query pointing to those values as long as they:
+You can enable **Multi-value** selection for **Resource Groups** and **Resource Names** variables. When using multi-value variables in a Metrics query, all selected resources must:
 
-- Belong to the same subscription.
-- Are in the same region.
-- Are of the same type (namespace).
+- Belong to the same subscription
+- Be in the same Azure region
+- Be of the same resource type (namespace)
 
-Also, note that if a template variable pointing to multiple resource groups or names is used in another template variable as a parameter (e.g. to retrieve metric names), only the first value will be used. This means that the combination of the first resource group and name selected should be valid.
+{{< admonition type="note" >}}
+When a multi-value variable is used as a parameter in another variable query (for example, to retrieve metric names), only the first selected value is used. Ensure the first resource group and resource name combination is valid.
+{{< /admonition >}}
+
+## Troubleshoot template variables
+
+If you encounter issues with template variables, try the following solutions.
+
+### Variable returns no values
+
+- Verify the Azure Monitor data source is configured correctly and can connect to Azure.
+- Check that the credentials have appropriate permissions to list the requested resources.
+- For cascading variables, ensure parent variables have valid selections.
+
+### Variable values are outdated
+
+- Check the **Refresh** setting and adjust if needed.
+- Click the refresh icon next to the variable dropdown to manually refresh.
+
+### Multi-value selection not working in queries
+
+- Ensure the resources meet the requirements (same subscription, region, and type).
+- For Logs queries, use the `$__contains()` macro to handle multi-value variables properly.

docs/sources/datasources/azure-monitor/troubleshooting/index.md

@@ -0,0 +1,320 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/troubleshooting/
+description: Troubleshooting guide for the Azure Monitor data source in Grafana
+keywords:
+  - grafana
+  - azure
+  - monitor
+  - troubleshooting
+  - errors
+  - authentication
+  - query
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Troubleshoot
+title: Troubleshoot Azure Monitor data source issues
+weight: 500
+last_reviewed: 2025-12-04
+refs:
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+  query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+---
+
+# Troubleshoot Azure Monitor data source issues
+
+This document provides solutions to common issues you may encounter when configuring or using the Azure Monitor data source.
+
+## Configuration and authentication errors
+
+These errors typically occur when setting up the data source or when authentication credentials are invalid.
+
+### "Authorization failed" or "Access denied"
+
+**Symptoms:**
+
+- Save & test fails with "Authorization failed"
+- Queries return "Access denied" errors
+- Subscriptions don't load when clicking **Load Subscriptions**
+
+**Possible causes and solutions:**
+
+| Cause                                              | Solution                                                                                                                                                                                                                                                                    |
+| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| App registration doesn't have required permissions | Assign the `Reader` role to the app registration on the subscription or resource group you want to monitor. Refer to the [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current). |
+| Incorrect tenant ID, client ID, or client secret   | Verify the credentials in the Azure Portal under **App registrations** > your app > **Overview** (for IDs) and **Certificates & secrets** (for secret).                                                                                                                     |
+| Client secret has expired                          | Create a new client secret in Azure and update the data source configuration.                                                                                                                                                                                               |
+| Managed Identity not enabled on the Azure resource | For VMs, enable managed identity in the Azure Portal under **Identity**. For App Service, enable it under **Identity** in the app settings.                                                                                                                                 |
+| Managed Identity not assigned the Reader role      | Assign the `Reader` role to the managed identity on the target subscription or resources.                                                                                                                                                                                   |
+
+### "Invalid client secret" or "Client secret not found"
+
+**Symptoms:**
+
+- Authentication fails immediately after configuration
+- Error message references invalid credentials
+
+**Solutions:**
+
+1. Ensure you copied the client secret **value**, not the secret ID. In Azure Portal under **Certificates & secrets**, the secret value is only shown once when created. The secret ID is a different identifier and won't work for authentication.
+2. Verify the client secret was copied correctly (no extra spaces or truncation).
+3. Check if the secret has expired in Azure Portal under **App registrations** > your app > **Certificates & secrets**.
+4. Create a new secret and update the data source configuration.
+
+### "Tenant not found" or "Invalid tenant ID"
+
+**Symptoms:**
+
+- Data source test fails with tenant-related errors
+- Unable to authenticate
+
+**Solutions:**
+
+1. Verify the Directory (tenant) ID in Azure Portal under **Microsoft Entra ID** > **Overview**.
+2. Ensure you're using the correct Azure cloud setting (Azure, Azure Government, or Azure China).
+3. Check that the tenant ID is a valid GUID format.
+
+### Managed Identity not working
+
+**Symptoms:**
+
+- Managed Identity option is available but authentication fails
+- Error: "Managed identity authentication is not available"
+
+**Solutions:**
+
+1. Verify `managed_identity_enabled = true` is set in the Grafana server configuration under `[azure]`.
+2. Confirm the Azure resource hosting Grafana has managed identity enabled.
+3. For user-assigned managed identity, ensure `managed_identity_client_id` is set correctly.
+4. Verify the managed identity has the `Reader` role on the target resources.
+5. Restart Grafana after changing server configuration.
+
+### Workload Identity not working
+
+**Symptoms:**
+
+- Workload Identity authentication fails in Kubernetes/AKS environment
+- Token file errors
+
+**Solutions:**
+
+1. Verify `workload_identity_enabled = true` is set in the Grafana server configuration.
+2. Check that the service account is correctly annotated for workload identity.
+3. Verify the federated credential is configured in Azure.
+4. Ensure the token path is accessible to the Grafana pod.
+5. Check the workload identity webhook is running in the cluster.
+
+## Query errors
+
+These errors occur when executing queries against Azure Monitor services.
+
+### "No data" or empty results
+
+**Symptoms:**
+
+- Query executes without error but returns no data
+- Charts show "No data" message
+
+**Possible causes and solutions:**
+
+| Cause                             | Solution                                                                                                                         |
+| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
+| Time range doesn't contain data   | Expand the dashboard time range or verify data exists in Azure Portal.                                                           |
+| Wrong resource selected           | Verify you've selected the correct subscription, resource group, and resource.                                                   |
+| Metric not available for resource | Not all metrics are available for all resources. Check available metrics in Azure Portal under the resource's **Metrics** blade. |
+| Metric has no values              | Some metrics only populate under certain conditions (e.g., error counts when errors occur).                                      |
+| Permissions issue                 | Verify the identity has read access to the specific resource.                                                                    |
+
+### "Bad request" or "Invalid query"
+
+**Symptoms:**
+
+- Query fails with 400 error
+- Error message indicates query syntax issues
+
+**Solutions for Logs queries:**
+
+1. Validate your KQL syntax in the Azure Portal Log Analytics query editor.
+2. Check for typos in table names or column names.
+3. Ensure referenced tables exist in the selected workspace.
+4. Verify the time range is valid (not in the future, not too far in the past for data retention).
+
+**Solutions for Metrics queries:**
+
+1. Verify the metric name is valid for the selected resource type.
+2. Check that dimension filters use valid dimension names and values.
+3. Ensure the aggregation type is supported for the selected metric.
+
+### "Resource not found"
+
+**Symptoms:**
+
+- Query fails with 404 error
+- Resource picker shows resources that can't be queried
+
+**Solutions:**
+
+1. Verify the resource still exists in Azure (it may have been deleted or moved).
+2. Check that the subscription is correct.
+3. Refresh the resource picker by re-selecting the subscription.
+4. Verify the identity has access to the resource's resource group.
+
+### Logs query timeout
+
+**Symptoms:**
+
+- Query runs for a long time then fails
+- Error mentions timeout or query limits
+
+**Solutions:**
+
+1. Narrow the time range to reduce data volume.
+2. Add filters to reduce the result set.
+3. Use `summarize` to aggregate data instead of returning raw rows.
+4. Consider using Basic Logs for large datasets (if enabled).
+5. Break complex queries into smaller parts.
+
+### "Metrics not available" for a resource
+
+**Symptoms:**
+
+- Resource appears in picker but no metrics are listed
+- Metric dropdown is empty
+
+**Solutions:**
+
+1. Verify the resource type supports Azure Monitor metrics.
+2. Check if the resource is in a region that supports metrics.
+3. Some resources require diagnostic settings to emit metrics—configure these in Azure Portal.
+4. Try selecting a different namespace for the resource.
+
+## Azure Resource Graph errors
+
+These errors are specific to Azure Resource Graph (ARG) queries.
+
+### "Query execution failed"
+
+**Symptoms:**
+
+- ARG query fails with execution errors
+- Results don't match expected resources
+
+**Solutions:**
+
+1. Validate query syntax in Azure Portal Resource Graph Explorer.
+2. Check that you have access to the subscriptions being queried.
+3. Verify table names are correct (e.g., `Resources`, `ResourceContainers`).
+4. Some ARG features require specific permissions, check [ARG documentation](https://docs.microsoft.com/en-us/azure/governance/resource-graph/).
+
+### Query returns incomplete results
+
+**Symptoms:**
+
+- Not all expected resources appear in results
+- Results seem truncated
+
+**Solutions:**
+
+1. ARG queries are paginated. The data source handles pagination automatically, but very large result sets may be limited.
+2. Add filters to reduce result set size.
+3. Verify you have access to all subscriptions containing the resources.
+
+## Application Insights Traces errors
+
+These errors are specific to the Traces query type.
+
+### "No traces found"
+
+**Symptoms:**
+
+- Trace query returns empty results
+- Operation ID search finds nothing
+
+**Solutions:**
+
+1. Verify the Application Insights resource is collecting trace data.
+2. Check that the time range includes when the traces were generated.
+3. Ensure the Operation ID is correct (copy directly from another trace or log).
+4. Verify the identity has access to the Application Insights resource.
+
+## Template variable errors
+
+For detailed troubleshooting of template variables, refer to the [template variables troubleshooting section](ref:template-variables).
+
+### Variables return no values
+
+**Solutions:**
+
+1. Verify the data source connection is working (test it in the data source settings).
+2. Check that parent variables (for cascading variables) have valid selections.
+3. Verify the identity has permissions to list the requested resources.
+4. For Logs variables, ensure the KQL query returns a single column.
+
+### Variables are slow to load
+
+**Solutions:**
+
+1. Set variable refresh to **On dashboard load** instead of **On time range change**.
+2. Reduce the scope of variable queries (e.g., filter by resource group instead of entire subscription).
+3. For Logs variables, optimize the KQL query to return results faster.
+
+## Connection and network errors
+
+These errors indicate problems with network connectivity between Grafana and Azure services.
+
+### "Connection refused" or timeout errors
+
+**Symptoms:**
+
+- Data source test fails with network errors
+- Queries timeout without returning results
+
+**Solutions:**
+
+1. Verify network connectivity from Grafana to Azure endpoints.
+2. Check firewall rules allow outbound HTTPS (port 443) to Azure services.
+3. For private networks, ensure Private Link or VPN is configured correctly.
+4. For Grafana Cloud, configure [Private Data Source Connect](ref:configure-azure-monitor) if accessing private resources.
+
+### SSL/TLS certificate errors
+
+**Symptoms:**
+
+- Certificate validation failures
+- SSL handshake errors
+
+**Solutions:**
+
+1. Ensure the system time is correct (certificate validation fails with incorrect time).
+2. Verify corporate proxy isn't intercepting HTTPS traffic.
+3. Check that required CA certificates are installed on the Grafana server.
+
+## Get additional help
+
+If you've tried the solutions above and still encounter issues:
+
+1. Check the [Grafana community forums](https://community.grafana.com/) for similar issues.
+1. Review the [Azure Monitor data source GitHub issues](https://github.com/grafana/grafana/issues) for known bugs.
+1. Enable debug logging in Grafana to capture detailed error information.
+1. Contact Grafana Support if you're an Enterprise, Cloud Pro or Cloud Contracted user.
+1. When reporting issues, include:
+   - Grafana version
+   - Error messages (redact sensitive information)
+   - Steps to reproduce
+   - Relevant configuration (redact credentials)

docs/sources/datasources/elasticsearch/_index.md

@@ -17,16 +17,6 @@ menuTitle: Elasticsearch
 title: Elasticsearch data source
 weight: 325
 refs:
-  configuration:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#sigv4_auth_enabled
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#sigv4_auth_enabled
-  provisioning-grafana:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
   explore:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/explore/
@@ -44,12 +34,36 @@ refs:
 Elasticsearch is a search and analytics engine used for a variety of use cases.
 You can create many types of queries to visualize logs or metrics stored in Elasticsearch, and annotate graphs with log events stored in Elasticsearch.
 
-The following will help you get started working with Elasticsearch and Grafana:
+The following resources will help you get started with Elasticsearch and Grafana:
 
 - [What is Elasticsearch?](https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-intro.html)
-- [Configure the Elasticsearch data source](/docs/grafana/latest/datasources/elasticsearch/configure-elasticsearch-data-source/)
-- [Elasticsearch query editor](query-editor/)
-- [Elasticsearch template variables](template-variables/)
+- [Configure the Elasticsearch data source](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/configure/)
+- [Elasticsearch query editor](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/query-editor/)
+- [Elasticsearch template variables](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/template-variables/)
+- [Elasticsearch annotations](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/annotations/)
+- [Elasticsearch alerting](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/alerting/)
+- [Troubleshooting issues with the Elasticsearch data source](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/troubleshooting/)
+
+## Key capabilities
+
+The Elasticsearch data source supports:
+
+- **Metrics queries:** Aggregate and visualize numeric data using bucket and metric aggregations.
+- **Log queries:** Search, filter, and explore log data with Lucene query syntax.
+- **Annotations:** Overlay Elasticsearch events on your dashboard graphs.
+- **Alerting:** Create alerts based on Elasticsearch query results.
+
+## Before you begin
+
+Before you configure the Elasticsearch data source, you need:
+
+- An Elasticsearch instance (v7.17+, v8.x, or v9.x)
+- Network access from Grafana to your Elasticsearch server
+- Appropriate user credentials or API keys with read access
+
+{{< admonition type="note" >}}
+If you use Amazon OpenSearch Service (the successor to Amazon Elasticsearch Service), use the [OpenSearch data source](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/opensearch/) instead.
+{{< /admonition >}}
 
 ## Supported Elasticsearch versions
 
@@ -63,86 +77,18 @@ This data source supports these versions of Elasticsearch:
 - v8.x
 - v9.x
 
-Our maintenance policy for Elasticsearch data source is aligned with the [Elastic Product End of Life Dates](https://www.elastic.co/support/eol) and we ensure proper functionality for supported versions. If you are using an Elasticsearch with version that is past its end-of-life (EOL), you can still execute queries, but you will receive a notification in the query builder indicating that the version of Elasticsearch you are using is no longer supported. It's important to note that in such cases, we do not guarantee the correctness of the functionality, and we will not be addressing any related issues.
+The Grafana maintenance policy for the Elasticsearch data source aligns with [Elastic Product End of Life Dates](https://www.elastic.co/support/eol). Grafana ensures proper functionality for supported versions only. If you use an EOL version of Elasticsearch, you can still run queries, but the query builder displays a warning. Grafana doesn't guarantee functionality or provide fixes for EOL versions.
 
-## Provision the data source
+## Additional resources
 
-You can define and configure the data source in YAML files as part of Grafana's provisioning system.
-For more information about provisioning, and for available configuration options, refer to [Provisioning Grafana](ref:provisioning-grafana).
+Once you have configured the Elasticsearch data source, you can:
 
-{{< admonition type="note" >}}
-The previously used `database` field has now been [deprecated](https://github.com/grafana/grafana/pull/58647).
-You should now use the `index` field in `jsonData` to store the index name.
-Please see the examples below.
-{{< /admonition >}}
+- Use [Explore](ref:explore) to run ad-hoc queries against your Elasticsearch data.
+- Configure and use [template variables](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/template-variables/) for dynamic dashboards.
+- Add [Transformations](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/) to process query results.
+- [Build dashboards](ref:build-dashboards) to visualize your Elasticsearch data.
 
-### Provisioning examples
+## Related data sources
 
-**Basic provisioning**
-
-```yaml
-apiVersion: 1
-
-datasources:
-  - name: Elastic
-    type: elasticsearch
-    access: proxy
-    url: http://localhost:9200
-    jsonData:
-      index: '[metrics-]YYYY.MM.DD'
-      interval: Daily
-      timeField: '@timestamp'
-```
-
-**Provision for logs**
-
-```yaml
-apiVersion: 1
-
-datasources:
-  - name: elasticsearch-v7-filebeat
-    type: elasticsearch
-    access: proxy
-    url: http://localhost:9200
-    jsonData:
-      index: '[filebeat-]YYYY.MM.DD'
-      interval: Daily
-      timeField: '@timestamp'
-      logMessageField: message
-      logLevelField: fields.level
-      dataLinks:
-        - datasourceUid: my_jaeger_uid # Target UID needs to be known
-          field: traceID
-          url: '$${__value.raw}' # Careful about the double "$$" because of env var expansion
-```
-
-## Configure Amazon Elasticsearch Service
-
-If you use Amazon Elasticsearch Service, you can use Grafana's Elasticsearch data source to visualize data from it.
-
-If you use an AWS Identity and Access Management (IAM) policy to control access to your Amazon Elasticsearch Service domain, you must use AWS Signature Version 4 (AWS SigV4) to sign all requests to that domain.
-
-For details on AWS SigV4, refer to the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
-
-### AWS Signature Version 4 authentication
-
-To sign requests to your Amazon Elasticsearch Service domain, you can enable SigV4 in Grafana's [configuration](ref:configuration).
-
-Once AWS SigV4 is enabled, you can configure it on the Elasticsearch data source configuration page.
-For more information about AWS authentication options, refer to [AWS authentication](../aws-cloudwatch/aws-authentication/).
-
-{{< figure src="/static/img/docs/v73/elasticsearch-sigv4-config-editor.png" max-width="500px" class="docs-image--no-shadow" caption="SigV4 configuration for AWS Elasticsearch Service" >}}
-
-## Query the data source
-
-You can select multiple metrics and group by multiple terms or filters when using the Elasticsearch query editor.
-
-For details, see the [query editor documentation](query-editor/).
-
-## Use template variables
-
-Instead of hard-coding details such as server, application, and sensor names in metric queries, you can use variables.
-Grafana lists these variables in dropdown select boxes at the top of the dashboard to help you change the data displayed in your dashboard.
-Grafana refers to such variables as template variables.
-
-For details, see the [template variables documentation](template-variables/).
+- [OpenSearch](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/opensearch/) - For Amazon OpenSearch Service.
+- [Loki](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/datasources/loki/) - Grafana's log aggregation system.

docs/sources/datasources/elasticsearch/alerting/index.md

@@ -0,0 +1,144 @@
+---
+aliases:
+  - ../../data-sources/elasticsearch/alerting/
+description: Using Grafana Alerting with the Elasticsearch data source
+keywords:
+  - grafana
+  - elasticsearch
+  - alerting
+  - alerts
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Alerting
+title: Elasticsearch alerting
+weight: 550
+refs:
+  alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/
+  create-alert-rule:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/alerting-rules/create-grafana-managed-rule/
+---
+
+# Elasticsearch alerting
+
+You can use Grafana Alerting with Elasticsearch to create alerts based on your Elasticsearch data. This allows you to monitor metrics, detect anomalies, and receive notifications when specific conditions are met.
+
+For general information about Grafana Alerting, refer to [Grafana Alerting](ref:alerting).
+
+## Before you begin
+
+Before creating alerts with Elasticsearch, ensure you have:
+
+- An Elasticsearch data source configured in Grafana
+- Appropriate permissions to create alert rules
+- Understanding of the metrics you want to monitor
+
+## Supported query types
+
+Elasticsearch alerting works best with **metrics queries** that return time series data. To create a valid alert query:
+
+- Use a **Date histogram** as the last bucket aggregation (under **Group by**)
+- Select appropriate metric aggregations (Count, Average, Sum, Min, Max, etc.)
+
+Queries that return time series data allow Grafana to evaluate values over time and trigger alerts when thresholds are crossed.
+
+### Query types and alerting compatibility
+
+| Query type                     | Alerting support | Notes                                                       |
+| ------------------------------ | ---------------- | ----------------------------------------------------------- |
+| Metrics with Date histogram    | ✅ Full support  | Recommended for alerting                                    |
+| Metrics without Date histogram | ⚠️ Limited       | May not evaluate correctly over time                        |
+| Logs                           | ❌ Not supported | Use metrics queries instead                                 |
+| Raw data                       | ❌ Not supported | Use metrics queries instead                                 |
+| Raw document (deprecated)      | ❌ Not supported | Deprecated since Grafana v10.1. Use metrics queries instead |
+
+## Create an alert rule
+
+To create an alert rule using Elasticsearch:
+
+1. Navigate to **Alerting** > **Alert rules**.
+1. Click **New alert rule**.
+1. Enter a name for the alert rule.
+1. Select your **Elasticsearch** data source.
+1. Build your query using the query editor:
+   - Add metric aggregations (for example, Average, Count, Sum)
+   - Add a Date histogram under **Group by**
+   - Optionally add filters using Lucene query syntax
+1. Configure the alert condition (for example, when the average is above a threshold).
+1. Set the evaluation interval and pending period.
+1. Configure notifications and labels.
+1. Click **Save rule**.
+
+For detailed instructions, refer to [Create a Grafana-managed alert rule](ref:create-alert-rule).
+
+## Example alert queries
+
+The following examples show common alerting scenarios with Elasticsearch.
+
+### Alert on high error count
+
+Monitor the number of error-level log entries:
+
+1. **Query:** `level:error`
+1. **Metric:** Count
+1. **Group by:** Date histogram (interval: 1m)
+1. **Condition:** When count is above 100
+
+### Alert on average response time
+
+Monitor API response times:
+
+1. **Query:** `type:api_request`
+1. **Metric:** Average on field `response_time`
+1. **Group by:** Date histogram (interval: 5m)
+1. **Condition:** When average is above 500 (milliseconds)
+
+### Alert on unique user count drop
+
+Detect drops in active users:
+
+1. **Query:** `*` (all documents)
+1. **Metric:** Unique count on field `user_id`
+1. **Group by:** Date histogram (interval: 1h)
+1. **Condition:** When unique count is below 100
+
+## Limitations
+
+When using Elasticsearch with Grafana Alerting, be aware of the following limitations:
+
+### Template variables not supported
+
+Alert queries cannot contain template variables. Grafana evaluates alert rules on the backend without dashboard context, so variables like `$hostname` or `$environment` won't be resolved.
+
+If your dashboard query uses template variables, create a separate query for alerting with hard coded values.
+
+### Logs queries not supported
+
+Queries using the **Logs** metric type cannot be used for alerting. Convert your query to use metric aggregations with a Date histogram instead.
+
+### Query complexity
+
+Complex queries with many nested aggregations may timeout or fail to evaluate. Simplify queries for alerting by:
+
+- Reducing the number of bucket aggregations
+- Using appropriate time intervals
+- Adding filters to limit the data scanned
+
+## Best practices
+
+Follow these best practices when creating Elasticsearch alerts:
+
+- **Use specific filters:** Add Lucene query filters to focus on relevant data and improve query performance.
+- **Choose appropriate intervals:** Match the Date histogram interval to your evaluation frequency.
+- **Test queries first:** Verify your query returns expected results in Explore before creating an alert.
+- **Set realistic thresholds:** Base alert thresholds on historical data patterns.
+- **Use meaningful names:** Give alert rules descriptive names that indicate what they monitor.

docs/sources/datasources/elasticsearch/annotations/index.md

@@ -0,0 +1,124 @@
+---
+aliases:
+  - ../../data-sources/elasticsearch/annotations/
+description: Using annotations with Elasticsearch in Grafana
+keywords:
+  - grafana
+  - elasticsearch
+  - annotations
+  - events
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Annotations
+title: Elasticsearch annotations
+weight: 500
+refs:
+  annotate-visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+---
+
+# Elasticsearch annotations
+
+Annotations overlay event data on your dashboard graphs, helping you correlate log events with metrics.
+You can use Elasticsearch as a data source for annotations to display events such as deployments, alerts, or other significant occurrences on your visualizations.
+
+For general information about annotations, refer to [Annotate visualizations](ref:annotate-visualizations).
+
+## Before you begin
+
+Before creating Elasticsearch annotations, ensure you have:
+
+- An Elasticsearch data source configured in Grafana
+- Documents in Elasticsearch containing event data with timestamp fields
+- Read access to the Elasticsearch index containing your events
+
+## Create an annotation query
+
+To add an Elasticsearch annotation to your dashboard:
+
+1. Navigate to your dashboard and click **Dashboard settings** (gear icon).
+1. Select **Annotations** in the left menu.
+1. Click **Add annotation query**.
+1. Enter a **Name** for the annotation.
+1. Select your **Elasticsearch** data source from the **Data source** drop-down.
+1. Configure the annotation query and field mappings.
+1. Click **Save dashboard**.
+
+## Query
+
+Use the query field to filter which Elasticsearch documents appear as annotations. The query uses [Lucene query syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax).
+
+**Examples:**
+
+| Query                                    | Description                                          |
+| ---------------------------------------- | ---------------------------------------------------- |
+| `*`                                      | Matches all documents.                               |
+| `type:deployment`                        | Shows only deployment events.                        |
+| `level:error OR level:critical`          | Shows error and critical events.                     |
+| `service:api AND environment:production` | Shows events for a specific service and environment. |
+| `tags:release`                           | Shows events tagged as releases.                     |
+
+You can use template variables in your annotation queries. For example, `service:$service` filters annotations based on the selected service variable.
+
+## Field mappings
+
+Field mappings tell Grafana which Elasticsearch fields contain the annotation data.
+
+### Time
+
+The **Time** field specifies which field contains the annotation timestamp.
+
+- **Default:** `@timestamp`
+- **Format:** The field must contain a date value that Elasticsearch recognizes.
+
+### Time End
+
+The **Time End** field specifies a field containing the end time for range annotations. Range annotations display as a shaded region on the graph instead of a single vertical line.
+
+- **Default:** Empty (single-point annotations)
+- **Use case:** Display maintenance windows, incidents, or any event with a duration.
+
+### Text
+
+The **Text** field specifies which field contains the annotation description displayed when you hover over the annotation.
+
+- **Default:** `tags`
+- **Tip:** Use a descriptive field like `message`, `description`, or `summary`.
+
+### Tags
+
+The **Tags** field specifies which field contains tags for the annotation. Tags help categorize and filter annotations.
+
+- **Default:** Empty
+- **Format:** The field can contain either a comma-separated string or an array of strings.
+
+## Example: Deployment annotations
+
+To display deployment events as annotations:
+
+1. Create an annotation query with the following settings:
+   - **Query:** `type:deployment`
+   - **Time:** `@timestamp`
+   - **Text:** `message`
+   - **Tags:** `environment`
+
+This configuration displays deployment events with their messages as the annotation text and environments as tags.
+
+## Example: Range annotations for incidents
+
+To display incidents with duration:
+
+1. Create an annotation query with the following settings:
+   - **Query:** `type:incident`
+   - **Time:** `start_time`
+   - **Time End:** `end_time`
+   - **Text:** `description`
+   - **Tags:** `severity`
+
+This configuration displays incidents as shaded regions from their start time to end time.

docs/sources/datasources/elasticsearch/configure-elasticsearch-data-source.md

@@ -1,209 +0,0 @@
----
-aliases:
-  - ../data-sources/elasticsearch/
-  - ../features/datasources/elasticsearch/
-description: Guide for configuring the Elasticsearch data source in Grafana
-keywords:
-  - grafana
-  - elasticsearch
-  - guide
-  - data source
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Configure Elasticsearch
-title: Configure the Elasticsearch data source
-weight: 200
-refs:
-  administration-documentation:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
-  supported-expressions:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/explore/logs-integration/#log-level
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/explore/logs-integration/#log-level
-  query-and-transform-data:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/panels-visualizations/query-transform-data/
-  provisioning-data-source:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/elasticsearch/#provision-the-data-source
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/connect-externally-hosted/data-sources/elasticsearch/#provision-the-data-source
----
-
-# Configure the Elasticsearch data source
-
-Grafana ships with built-in support for Elasticsearch.
-You can create a variety of queries to visualize logs or metrics stored in Elasticsearch, and annotate graphs with log events stored in Elasticsearch.
-
-For instructions on how to add a data source to Grafana, refer to the [administration documentation](ref:administration-documentation).
-
-Only users with the organization `administrator` role can add data sources.
-Administrators can also [configure the data source via YAML](ref:provisioning-data-source) with Grafana's provisioning system.
-
-## Configuring permissions
-
-When Elasticsearch security features are enabled, it is essential to configure the necessary cluster privileges to ensure seamless operation. Below is a list of the required privileges along with their purposes:
-
-- **monitor** - Necessary to retrieve the version information of the connected Elasticsearch instance.
-- **view_index_metadata** - Required for accessing mapping definitions of indices.
-- **read** - Grants the ability to perform search and retrieval operations on indices. This is essential for querying and extracting data from the cluster.
-
-## Add the data source
-
-To add the Elasticsearch data source, complete the following steps:
-
-1. Click **Connections** in the left-side menu.
-1. Under **Connections**, click **Add new connection**.
-1. Enter `Elasticsearch` in the search bar.
-1. Click **Elasticsearch** under the **Data source** section.
-1. Click **Add new data source** in the upper right.
-
-You will be taken to the **Settings** tab where you will set up your Elasticsearch configuration.
-
-## Configuration options
-
-The following is a list of configuration options for Elasticsearch.
-
-The first option to configure is the name of your connection:
-
-- **Name** - The data source name. This is how you refer to the data source in panels and queries. Examples: elastic-1, elasticsearch_metrics.
-
-- **Default** - Toggle to select as the default data source option. When you go to a dashboard panel or Explore, this will be the default selected data source.
-
-## Connection
-
-Connect the Elasticsearch data source by specifying a URL.
-
-- **URL** - The URL of your Elasticsearch server. If your Elasticsearch server is local, use `http://localhost:9200`. If it is on a server within a network, this is the URL with the port where you are running Elasticsearch. Example: `http://elasticsearch.example.orgname:9200`.
-
-## Authentication
-
-There are several authentication methods you can choose in the Authentication section.
-Select one of the following authentication methods from the dropdown menu.
-
-- **Basic authentication** - The most common authentication method. Use your `data source` user name and `data source` password to connect.
-
-- **Forward OAuth identity** - Forward the OAuth access token (and the OIDC ID token if available) of the user querying the data source.
-
-- **No authentication** - Make the data source available without authentication. Grafana recommends using some type of authentication method.
-
-<!-- - **With credentials** - Toggle to enable credentials such as cookies or auth headers to be sent with cross-site requests. -->
-
-### TLS settings
-
-{{< admonition type="note" >}}
-Use TLS (Transport Layer Security) for an additional layer of security when working with Elasticsearch. For information on setting up TLS encryption with Elasticsearch see [Configure TLS](https://www.elastic.co/guide/en/elasticsearch/reference/8.8/configuring-tls.html#configuring-tls). You must add TLS settings to your Elasticsearch configuration file **prior** to setting these options in Grafana.
-{{< /admonition >}}
-
-- **Add self-signed certificate** - Check the box to authenticate with a CA certificate. Follow the instructions of the CA (Certificate Authority) to download the certificate file. Required for verifying self-signed TLS certificates.
-
-- **TLS client authentication** - Check the box to authenticate with the TLS client, where the server authenticates the client. Add the `Server name`, `Client certificate` and `Client key`. The **ServerName** is used to verify the hostname on the returned certificate. The **Client certificate** can be generated from a Certificate Authority (CA) or be self-signed. The **Client key** can also be generated from a Certificate Authority (CA) or be self-signed. The client key encrypts the data between client and server.
-
-- **Skip TLS certificate validation** - Check the box to bypass TLS certificate validation. Skipping TLS certificate validation is not recommended unless absolutely necessary or for testing purposes.
-
-### HTTP headers
-
-Click **+ Add header** to add one or more HTTP headers. HTTP headers pass additional context and metadata about the request/response.
-
-- **Header** - Add a custom header. This allows custom headers to be passed based on the needs of your Elasticsearch instance.
-
-- **Value** - The value of the header.
-
-## Additional settings
-
-Additional settings are optional settings that can be configured for more control over your data source.
-
-### Advanced HTTP settings
-
-- **Allowed cookies** - Specify cookies by name that should be forwarded to the data source. The Grafana proxy deletes all forwarded cookies by default.
-
-- **Timeout** - The HTTP request timeout. This must be in seconds. There is no default, so this setting is up to you.
-
-### Elasticsearch details
-
-The following settings are specific to the Elasticsearch data source.
-
-- **Index name** - Use the index settings to specify a default for the `time field` and your Elasticsearch index's name. You can use a time pattern, for example `[logstash-]YYYY.MM.DD`, or a wildcard for the index name. When specifying a time pattern, the fixed part(s) of the pattern should be wrapped in square brackets.
-
-- **Pattern** - Select the matching pattern if using one in your index name. Options include:
-  - no pattern
-  - hourly
-  - daily
-  - weekly
-  - monthly
-  - yearly
-
-Only select a pattern option if you have specified a time pattern in the Index name field.
-
-- **Time field name** - Name of the time field. The default value is @timestamp. You can enter a different name.
-
-- **Max concurrent shard requests** - Sets the number of shards being queried at the same time. The default is `5`. For more information on shards see [Elasticsearch's documentation](https://www.elastic.co/guide/en/elasticsearch/reference/8.9/scalability.html#scalability).
-
-- **Min time interval** - Defines a lower limit for the auto group-by time interval. This value **must** be formatted as a number followed by a valid time identifier:
-
-  | Identifier | Description |
-  | ---------- | ----------- |
-  | `y`        | year        |
-  | `M`        | month       |
-  | `w`        | week        |
-  | `d`        | day         |
-  | `h`        | hour        |
-  | `m`        | minute      |
-  | `s`        | second      |
-  | `ms`       | millisecond |
-
-We recommend setting this value to match your Elasticsearch write frequency.
-For example, set this to `1m` if Elasticsearch writes data every minute.
-
-You can also override this setting in a dashboard panel under its data source options. The default is `10s`.
-
-- **X-Pack enabled** - Toggle to enable `X-Pack`-specific features and options, which provide the [query editor](../query-editor/) with additional aggregations, such as `Rate` and `Top Metrics`.
-
-- **Include frozen indices** - Toggle on when the `X-Pack enabled` setting is active. Includes frozen indices in searches. You can configure Grafana to include [frozen indices](https://www.elastic.co/guide/en/elasticsearch/reference/7.13/frozen-indices.html) when performing search requests.
-
-{{< admonition type="note" >}}
-Frozen indices are [deprecated in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/frozen-indices.html) since v7.14.
-{{< /admonition >}}
-
-- **Default query mode** - Specifies which query mode the data source uses by default. Options are `Metrics`, `Logs`, `Raw data`, and `Raw document`. The default is `Metrics`.
-
-### Logs
-
-In this section you can configure which fields the data source uses for log messages and log levels.
-
-- **Message field name:** - Grabs the actual log message from the default source.
-
-- **Level field name:** - Name of the field with log level/severity information. When a level label is specified, the value of this label is used to determine the log level and update the color of each log line accordingly. If the log doesn’t have a specified level label, we try to determine if its content matches any of the [supported expressions](ref:supported-expressions). The first match always determines the log level. If Grafana cannot infer a log-level field, it will be visualized with an unknown log level.
-
-### Data links
-
-Data links create a link from a specified field that can be accessed in Explore's logs view. You can add multiple data links by clicking **+ Add**.
-
-Each data link configuration consists of:
-
-- **Field** - Sets the name of the field used by the data link.
-
-- **URL/query** - Sets the full link URL if the link is external. If the link is internal, this input serves as a query for the target data source.<br/>In both cases, you can interpolate the value from the field with the `${__value.raw }` macro.
-
-- **URL Label** (Optional) - Sets a custom display label for the link. The link label defaults to the full external URL or name of the linked internal data source and is overridden by this setting.
-
-- **Internal link** - Toggle on to set an internal link. For an internal link, you can select the target data source with a data source selector. This supports only tracing data sources.
-
-## Private data source connect (PDC) and Elasticsearch
-
-Use private data source connect (PDC) to connect to and query data within a secure network without opening that network to inbound traffic from Grafana Cloud. See [Private data source connect](https://grafana.com/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/) for more information on how PDC works and [Configure Grafana private data source connect (PDC)](https://grafana.com/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc) for steps on setting up a PDC connection.
-
-If you use PDC with SIGv4 (AWS Signature Version 4 Authentication), the PDC agent must allow internet egress to`sts.<region>.amazonaws.com:443`.
-
-- **Private data source connect** - Click in the box to set the default PDC connection from the dropdown menu or create a new connection.
-
-Once you have configured your Elasticsearch data source options, click **Save & test** at the bottom to test out your data source connection. You can also remove a connection by clicking **Delete**.