Alerting: Update webhook receiver with hmac_config (#2335)

Author: JacobsonMT

docs/resources/contact_point.md

@@ -524,6 +524,7 @@ Optional:
 - `basic_auth_user` (String) The username to use in basic auth headers attached to the request. If omitted, basic auth will not be used.
 - `disable_resolve_message` (Boolean) Whether to disable sending resolve messages. Defaults to `false`.
 - `headers` (Map of String) Custom headers to attach to the request.
+- `hmac_config` (Block Set, Max: 1) HMAC signature configuration options. (see [below for nested schema](#nestedblock--webhook--hmac_config))
 - `http_config` (Block Set, Max: 1) Common HTTP client options. (see [below for nested schema](#nestedblock--webhook--http_config))
 - `http_method` (String) The HTTP method to use in the request. Defaults to `POST`.
 - `max_alerts` (Number) The maximum number of alerts to send in a single request. This can be helpful in limiting the size of the request body. The default is 0, which indicates no limit.
@@ -537,6 +538,19 @@ Read-Only:
 
 - `uid` (String) The UID of the contact point.
 
+<a id="nestedblock--webhook--hmac_config"></a>
+### Nested Schema for `webhook.hmac_config`
+
+Required:
+
+- `secret` (String, Sensitive) The secret key used to generate the HMAC signature.
+
+Optional:
+
+- `header` (String) The header in which the HMAC signature will be included. Defaults to `X-Grafana-Alerting-Signature`.
+- `timestamp_header` (String) If set, the timestamp will be included in the HMAC signature. The value should be the name of the header to use.
+
+
 <a id="nestedblock--webhook--http_config"></a>
 ### Nested Schema for `webhook.http_config`
 

examples/resources/grafana_contact_point/_acc_receiver_types_11_6.tf

@@ -0,0 +1,19 @@
+resource "grafana_contact_point" "receiver_types" {
+  name = "Receiver Types since v11.6"
+
+  webhook {
+    url = "http://hmac-minimal-webhook-url"
+    hmac_config {
+      secret = "test-hmac-minimal-secret"
+    }
+  }
+
+  webhook {
+    url = "http://hmac-webhook-url"
+    hmac_config {
+      secret           = "test-hmac-secret"
+      header           = "X-Grafana-Alerting-Signature"
+      timestamp_header = "X-Grafana-Alerting-Timestamp"
+    }
+  }
+}

internal/resources/grafana/resource_alerting_contact_point_notifiers.go

@@ -1133,12 +1133,14 @@ func (w webhookNotifier) meta() notifierMeta {
 		typeStr: "webhook",
 		desc:    "A contact point that sends notifications to an arbitrary webhook, using the Prometheus webhook format defined here: https://prometheus.io/docs/alerting/latest/configuration/#webhook_config",
 		fieldMapper: withCommonHTTPConfigFieldMappers(map[string]fieldMapper{
-			"http_method":         newKeyMapper("httpMethod"),
-			"basic_auth_user":     newKeyMapper("username"),
-			"basic_auth_password": newKeyMapper("password"),
-			"max_alerts":          newFieldMapper("maxAlerts", valueAsInt, valueAsInt),
-			"tls_config":          newFieldMapper("tlsConfig", translateTLSConfigPack, translateTLSConfigUnpack),
-			"headers":             omitEmptyMapper(),
+			"http_method":                  newKeyMapper("httpMethod"),
+			"basic_auth_user":              newKeyMapper("username"),
+			"basic_auth_password":          newKeyMapper("password"),
+			"max_alerts":                   newFieldMapper("maxAlerts", valueAsInt, valueAsInt),
+			"tls_config":                   newFieldMapper("tlsConfig", translateTLSConfigPack, translateTLSConfigUnpack),
+			"headers":                      omitEmptyMapper(),
+			"hmac_config":                  newKeyMapper("hmacConfig"),
+			"hmac_config.timestamp_header": newKeyMapper("timestampHeader"),
 		}),
 	}
 }
@@ -1198,6 +1200,32 @@ func (w webhookNotifier) schema() *schema.Resource {
 		Sensitive:   true,
 		Description: "Allows configuring TLS for the webhook notifier.",
 	}
+	r.Schema["hmac_config"] = &schema.Schema{
+		Type:        schema.TypeSet,
+		Optional:    true,
+		MaxItems:    1,
+		Description: "HMAC signature configuration options.",
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"secret": {
+					Type:        schema.TypeString,
+					Required:    true,
+					Sensitive:   true,
+					Description: "The secret key used to generate the HMAC signature.",
+				},
+				"header": {
+					Type:        schema.TypeString,
+					Optional:    true,
+					Description: "The header in which the HMAC signature will be included. Defaults to `X-Grafana-Alerting-Signature`.",
+				},
+				"timestamp_header": {
+					Type:        schema.TypeString,
+					Optional:    true,
+					Description: "If set, the timestamp will be included in the HMAC signature. The value should be the name of the header to use.",
+				},
+			},
+		},
+	}
 	r.Schema["headers"] = &schema.Schema{
 		Type:        schema.TypeMap,
 		Optional:    true,

internal/resources/grafana/resource_alerting_contact_point_test.go

@@ -529,6 +529,83 @@ func TestAccContactPoint_notifiers11_4(t *testing.T) {
 	})
 }
 
+func TestAccContactPoint_notifiers11_6(t *testing.T) {
+	testutils.CheckOSSTestsEnabled(t, ">=11.6.0")
+
+	var points models.ContactPoints
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
+		// Implicitly tests deletion.
+		CheckDestroy: alertingContactPointCheckExists.destroyed(&points, nil),
+		Steps: []resource.TestStep{
+			// Multiple hmac_config blocks are not allowed.
+			{
+				Config: `
+				resource "grafana_contact_point" "receiver_types" {
+				  name = "Receiver Types since v11.6"
+				
+				  webhook {
+					url = "http://my-url"
+					hmac_config {
+					  secret = "test-secret1"
+					}
+					hmac_config {
+					  secret = "test-secret2"
+					}
+				  }
+				}
+				`,
+				ExpectError: regexp.MustCompile(`Too many hmac_config blocks`),
+			},
+			// Secret field required.
+			{
+				Config: testutils.TestAccExampleWithReplace(t, "resources/grafana_contact_point/_acc_receiver_types_11_6.tf", map[string]string{
+					`secret           = "test-hmac-secret"`: ``,
+				}),
+				ExpectError: regexp.MustCompile(`Missing required argument`),
+			},
+			// Test creation.
+			{
+				Config: testutils.TestAccExample(t, "resources/grafana_contact_point/_acc_receiver_types_11_6.tf"),
+				Check: resource.ComposeTestCheckFunc(
+					checkAlertingContactPointExistsWithLength("grafana_contact_point.receiver_types", &points, 2),
+					// webhook basic
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.#", "2"),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.0.url", "http://hmac-minimal-webhook-url"),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.1.url", "http://hmac-webhook-url"),
+
+					// New
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.0.hmac_config.0.secret", "test-hmac-minimal-secret"),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.0.hmac_config.0.header", ""),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.0.hmac_config.0.timestamp_header", ""),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.1.hmac_config.0.secret", "test-hmac-secret"),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.1.hmac_config.0.header", "X-Grafana-Alerting-Signature"),
+					resource.TestCheckResourceAttr("grafana_contact_point.receiver_types", "webhook.1.hmac_config.0.timestamp_header", "X-Grafana-Alerting-Timestamp"),
+
+					// Ensure that we're sending the grafana-style fiel names to the API by checking the GET response.
+					func(s *terraform.State) error {
+						found := false
+						for _, p := range points {
+							hmacConfig, ok := p.Settings.(map[string]interface{})["hmacConfig"]
+							if !ok {
+								return fmt.Errorf("hmacConfig was not present in the settings when it should have been. value: %#v", p.Settings)
+							}
+							if _, ok := hmacConfig.(map[string]interface{})["timestampHeader"]; ok {
+								found = true
+							}
+						}
+						if !found {
+							return fmt.Errorf("timestampHeader was not present in any hmacConfig when it should have been. Settings: [%v, %v]", points[0].Settings, points[1].Settings)
+						}
+						return nil
+					},
+				),
+			},
+		},
+	})
+}
+
 func TestAccContactPoint_notifiers12_0(t *testing.T) {
 	testutils.CheckOSSTestsEnabled(t, ">=12.0.0")