mondoohq
diff --git a/‎Makefile‎
Lines changed: 2 additions & 0 deletions b/‎Makefile‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎providers/grafana/config/config.go‎
Lines changed: 61 additions & 0 deletions b/‎providers/grafana/config/config.go‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎providers/grafana/connection/connection.go‎
Lines changed: 147 additions & 0 deletions b/‎providers/grafana/connection/connection.go‎
Lines changed: 147 additions & 0 deletions
@@ -207,6 +207,7 @@ PROVIDERS := \
 	gcp \
 	github \
 	gitlab \
+	grafana \
 	google-workspace \
 	ipinfo \
 	ipmi \
@@ -273,6 +274,7 @@ providers/test:
 	@$(call testGoModProvider, providers/equinix)
 	@$(call testGoModProvider, providers/gcp)
 	@$(call testGoModProvider, providers/github)
+	@$(call testGoModProvider, providers/grafana)
 	@$(call testGoModProvider, providers/gitlab)
 	@$(call testGoModProvider, providers/google-workspace)
 	@$(call testGoModProvider, providers/ipinfo)
 
@@ -0,0 +1,61 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package config
+
+import (
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers/grafana/provider"
+)
+
+var Config = plugin.Provider{
+	Name:            "grafana",
+	ID:              "go.mondoo.com/mql/v13/providers/grafana",
+	Version:         "13.0.0",
+	ConnectionTypes: []string{provider.DefaultConnectionType},
+	Connectors: []plugin.Connector{
+		{
+			Name:  "grafana",
+			Use:   "grafana",
+			Short: "a Grafana organization",
+			Long: `Use the grafana provider to query resources in a Grafana organization.
+
+Examples:
+  cnspec shell grafana --url https://myorg.grafana.net --token <api-token>
+  cnspec scan grafana --url https://myorg.grafana.net --token <api-token>
+
+Notes:
+  If you set the GRAFANA_TOKEN environment variable, you can omit the token flag.
+  If you set the GRAFANA_URL environment variable, you can omit the url flag.
+`,
+			MinArgs:   0,
+			MaxArgs:   0,
+			Discovery: []string{},
+			Flags: []plugin.Flag{
+				{
+					Long:    "token",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Grafana service account token",
+				},
+				{
+					Long:    "url",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Grafana instance URL (e.g., https://myorg.grafana.net)",
+				},
+			},
+		},
+	},
+	AssetUrlTrees: []*inventory.AssetUrlBranch{
+		{
+			PathSegments: []string{"technology=saas", "provider=grafana"},
+			Key:          "kind",
+			Title:        "Kind",
+			Values: map[string]*inventory.AssetUrlBranch{
+				"org": nil,
+			},
+		},
+	},
+}
@@ -0,0 +1,147 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package connection
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/go-retryablehttp"
+	"github.com/rs/zerolog/log"
+	"go.mondoo.com/mql/v13/logger/zerologadapter"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/vault"
+)
+
+// GrafanaConnection holds the HTTP client and auth state for a Grafana instance.
+type GrafanaConnection struct {
+	plugin.Connection
+	Conf    *inventory.Config
+	asset   *inventory.Asset
+	client  *http.Client
+	baseURL string
+	token   string
+}
+
+// NewGrafanaConnection constructs a GrafanaConnection, resolving credentials and
+// base URL from vault credentials, conf options, or environment variables.
+// Both token and baseURL are required; an error is returned if either is absent.
+func NewGrafanaConnection(id uint32, asset *inventory.Asset, conf *inventory.Config) (*GrafanaConnection, error) {
+	conn := &GrafanaConnection{
+		Connection: plugin.NewConnection(id, asset),
+		Conf:       conf,
+		asset:      asset,
+	}
+
+	// Resolve token: vault credential (CredentialType_password) takes precedence over env.
+	token := os.Getenv("GRAFANA_TOKEN")
+	for _, cred := range conf.Credentials {
+		if cred.Type == vault.CredentialType_password {
+			token = string(cred.Secret)
+		} else {
+			log.Warn().Str("credential-type", cred.Type.String()).Msg("unsupported credential type for Grafana provider")
+		}
+	}
+	token = strings.TrimSpace(token)
+	if token == "" {
+		return nil, errors.New("a valid Grafana token is required, pass --token '<yourtoken>' or set GRAFANA_TOKEN environment variable")
+	}
+
+	// Resolve base URL: conf option takes precedence over env.
+	baseURL := os.Getenv("GRAFANA_URL")
+	if conf.Options != nil {
+		if v, ok := conf.Options["url"]; ok && v != "" {
+			baseURL = v
+		}
+	}
+	baseURL = strings.TrimRight(baseURL, "/")
+	if baseURL == "" {
+		return nil, errors.New("a Grafana instance URL is required, pass --url '<url>' or set GRAFANA_URL environment variable")
+	}
+
+	// Build a retryablehttp client that handles transient failures automatically.
+	retryClient := retryablehttp.NewClient()
+	retryClient.RetryMax = 5
+	retryClient.Logger = zerologadapter.New(log.Logger)
+	httpClient := retryClient.StandardClient()
+	httpClient.Timeout = 30 * time.Second
+
+	conn.token = token
+	conn.baseURL = baseURL
+	conn.client = httpClient
+
+	return conn, nil
+}
+
+// Name returns the connection type name.
+func (c *GrafanaConnection) Name() string {
+	return "grafana"
+}
+
+// Asset returns the inventory asset associated with this connection.
+func (c *GrafanaConnection) Asset() *inventory.Asset {
+	return c.asset
+}
+
+// BaseURL returns the trimmed base URL of the Grafana instance.
+func (c *GrafanaConnection) BaseURL() string {
+	return c.baseURL
+}
+
+// OrgID returns the org-id option value, or empty string if not set.
+func (c *GrafanaConnection) OrgID() string {
+	if c.Conf.Options == nil {
+		return ""
+	}
+	return c.Conf.Options["org-id"]
+}
+
+// Get issues an authenticated GET request to baseURL+path and returns the raw
+// response. The caller is responsible for closing the response body and checking
+// the status code.
+func (c *GrafanaConnection) Get(ctx context.Context, path string) (*http.Response, error) {
+	url := c.baseURL + path
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("grafana: failed to create request for %s: %w", path, err)
+	}
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/json")
+	return c.client.Do(req)
+}
+
+// grafanaOrgPlatform returns the canonical platform descriptor for a Grafana org.
+func grafanaOrgPlatform() *inventory.Platform {
+	return &inventory.Platform{
+		Name:                  "grafana-org",
+		Title:                 "Grafana Organization",
+		Family:                []string{"grafana"},
+		Kind:                  "api",
+		Runtime:               "grafana",
+		TechnologyUrlSegments: []string{"saas", "grafana", "org"},
+	}
+}
+
+// PlatformInfo returns the platform descriptor for this connection.
+func (c *GrafanaConnection) PlatformInfo() (*inventory.Platform, error) {
+	return grafanaOrgPlatform(), nil
+}
+
+// Identifier returns the platform MRN for this Grafana org connection.
+// If org-id is set in options it is appended; otherwise the path ends at "org".
+func (c *GrafanaConnection) Identifier() string {
+	base := "//platformid.api.mondoo.app/runtime/grafana/org"
+	orgID := c.OrgID()
+	if orgID != "" {
+		return base + "/" + orgID
+	}
+	return base
+}