feat: add Prometheus metrics support (#768)

Author: felladrin

docs/data-sources/prometheus_scrape_config.md

@@ -0,0 +1,165 @@
+---
+page_title: "minio_prometheus_scrape_config Data Source - terraform-provider-minio"
+subcategory: ""
+description: |-
+  Generates Prometheus scrape configuration for MinIO metrics endpoints.
+---
+
+# minio_prometheus_scrape_config (Data Source)
+
+Generates Prometheus scrape configuration for MinIO metrics endpoints.
+
+## Example Usage
+
+```terraform
+# Generate scrape configuration for cluster metrics
+data "minio_prometheus_scrape_config" "cluster" {
+  metric_type = "cluster"
+  alias       = "minio-cluster"
+}
+
+# Generate scrape configuration for node metrics
+data "minio_prometheus_scrape_config" "node" {
+  metric_type = "node"
+  alias       = "minio-nodes"
+}
+
+# Generate scrape configuration for bucket metrics with v2 metrics
+data "minio_prometheus_scrape_config" "bucket" {
+  metric_type      = "bucket"
+  alias            = "minio-buckets"
+  metrics_version  = "v2"
+}
+
+# Generate scrape configuration for resource metrics with bearer token
+data "minio_prometheus_scrape_config" "resource" {
+  metric_type  = "resource"
+  alias        = "minio-resources"
+  bearer_token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9..."
+}
+```
+
+## Using with Bearer Token Resource
+
+```terraform
+# Create a bearer token for authenticated access
+resource "minio_prometheus_bearer_token" "cluster_token" {
+  metric_type = "cluster"
+  expires_in  = "24h"
+}
+
+# Generate authenticated scrape configuration
+data "minio_prometheus_scrape_config" "cluster_auth" {
+  metric_type  = "cluster"
+  alias        = "minio-cluster-auth"
+  bearer_token = minio_prometheus_bearer_token.cluster_token.token
+}
+
+# Output the complete Prometheus configuration
+output "prometheus_config" {
+  value = data.minio_prometheus_scrape_config.cluster_auth.scrape_config
+}
+```
+
+## Complete Prometheus Configuration Example
+
+```terraform
+# Generate scrape configs for all metric types
+data "minio_prometheus_scrape_config" "cluster" {
+  metric_type = "cluster"
+  alias       = "minio-cluster"
+}
+
+data "minio_prometheus_scrape_config" "node" {
+  metric_type = "node"
+  alias       = "minio-nodes"
+}
+
+data "minio_prometheus_scrape_config" "bucket" {
+  metric_type = "bucket"
+  alias       = "minio-buckets"
+}
+
+data "minio_prometheus_scrape_config" "resource" {
+  metric_type = "resource"
+  alias       = "minio-resources"
+}
+
+# Combine all scrape configs
+locals {
+  prometheus_config = <<-EOT
+    ${data.minio_prometheus_scrape_config.cluster.scrape_config}
+    
+    ${data.minio_prometheus_scrape_config.node.scrape_config}
+    
+    ${data.minio_prometheus_scrape_config.bucket.scrape_config}
+    
+    ${data.minio_prometheus_scrape_config.resource.scrape_config}
+  EOT
+}
+
+output "complete_prometheus_config" {
+  value = local.prometheus_config
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `metric_type` (String) Metric type for the scrape configuration. Valid values are: cluster, node, bucket, resource
+
+### Optional
+
+- `alias` (String) Alias for the MinIO server in Prometheus configuration
+- `bearer_token` (String, Sensitive) Bearer token for authenticated access to Prometheus metrics (when using JWT auth)
+- `metrics_version` (String) Metrics version. Valid values are: v2, v3
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `metrics_path` (String) Metrics endpoint path
+- `scrape_config` (String, Sensitive) Generated Prometheus scrape configuration in YAML format
+
+## Metric Types
+
+- **cluster**: Cluster-level metrics including server status, usage, and performance
+- **node**: Node-specific metrics for individual MinIO servers in a cluster
+- **bucket**: Bucket-level metrics including object counts, sizes, and operations
+- **resource**: Resource utilization metrics for CPU, memory, and disk
+
+## Metrics Versions
+
+- **v2**: Legacy metrics format (`/minio/v2/metrics/{type}`)
+- **v3**: Current metrics format (`/minio/metrics/v3?type={type}`) - default
+
+## Authentication
+
+The data source supports both unauthenticated and authenticated access:
+
+1. **Unauthenticated**: Omit the `bearer_token` field for public metrics endpoints
+2. **Authenticated**: Provide a JWT bearer token for secure metrics access
+
+Use the `minio_prometheus_bearer_token` resource to generate valid tokens.
+
+## Generated Configuration
+
+The generated scrape configuration includes:
+
+- Job name based on the alias
+- Metrics path for the specified metric type and version
+- Scheme (http/https) based on provider SSL configuration
+- Bearer token (if provided)
+- Static config with the MinIO server endpoint
+
+Example output:
+```yaml
+scrape_configs:
+  - job_name: minio-cluster
+    metrics_path: /minio/metrics/v3?type=cluster
+    scheme: https
+    bearer_token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9...
+    static_configs:
+      - targets: ["minio.example.com:9000"]
+```

docs/resources/prometheus_bearer_token.md

@@ -0,0 +1,119 @@
+---
+page_title: "minio_prometheus_bearer_token Resource - terraform-provider-minio"
+subcategory: ""
+description: |-
+  Manages MinIO Prometheus bearer tokens for metrics authentication.
+  Bearer tokens are JWTs signed with MinIO credentials that authenticate
+  requests to Prometheus metrics endpoints. Each metric type (cluster, node,
+  bucket, resource) can have its own token.
+  Tokens are generated locally using the provider's access and secret keys,
+  so no API call is needed to create them. The token is valid for the specified
+  duration from creation time.
+---
+
+# minio_prometheus_bearer_token (Resource)
+
+Manages MinIO Prometheus bearer tokens for metrics authentication.
+
+Bearer tokens are JWTs signed with MinIO credentials that authenticate
+requests to Prometheus metrics endpoints. Each metric type (cluster, node,
+bucket, resource) can have its own token.
+
+Tokens are generated locally using the provider's access and secret keys,
+so no API call is needed to create them. The token is valid for the specified
+duration from creation time.
+
+## Example Usage
+
+```terraform
+# Create a bearer token for cluster metrics
+resource "minio_prometheus_bearer_token" "cluster" {
+  metric_type = "cluster"
+  expires_in  = "24h"
+}
+
+# Create a bearer token for node metrics with custom expiry
+resource "minio_prometheus_bearer_token" "node" {
+  metric_type = "node"
+  expires_in  = "168h"  # 1 week
+}
+
+# Create a bearer token for bucket metrics with limit
+resource "minio_prometheus_bearer_token" "bucket" {
+  metric_type = "bucket"
+  expires_in  = "720h"  # 30 days
+  limit       = 2160    # 90 days limit
+}
+
+# Create a bearer token for resource metrics
+resource "minio_prometheus_bearer_token" "resource" {
+  metric_type = "resource"
+  expires_in  = "87600h"  # 10 years (default)
+}
+```
+
+## Using with Prometheus Scrape Configuration
+
+```terraform
+# Generate bearer token
+resource "minio_prometheus_bearer_token" "cluster_metrics" {
+  metric_type = "cluster"
+  expires_in  = "24h"
+}
+
+# Generate scrape configuration with bearer token
+data "minio_prometheus_scrape_config" "cluster" {
+  metric_type  = "cluster"
+  bearer_token = minio_prometheus_bearer_token.cluster_metrics.token
+}
+
+output "prometheus_scrape_config" {
+  value = data.minio_prometheus_scrape_config.cluster.scrape_config
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `metric_type` (String) Type of metrics to authenticate. Valid values: cluster, node, bucket, resource
+
+### Optional
+
+- `expires_in` (String) Token expiry duration in whole hours only (e.g., 24h, 87600h). Go time.Duration formats like 24h30m or units such as m/s are not supported. Default: 87600h (10 years)
+- `limit` (Number) Maximum token expiry in hours. Default: 876000 (100 years)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `token` (String, Sensitive) Generated JWT bearer token for the metrics endpoint
+- `token_expiry` (String) Expiry timestamp of the token in RFC3339 format
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Import using the metric type
+terraform import minio_prometheus_bearer_token.example cluster
+terraform import minio_prometheus_bearer_token.example node
+terraform import minio_prometheus_bearer_token.example bucket
+terraform import minio_prometheus_bearer_token.example resource
+```
+
+## Security Considerations
+
+- Bearer tokens are sensitive credentials. Treat them like passwords.
+- Tokens are generated locally using the provider's access and secret keys.
+- The token is stored in Terraform state as a sensitive value.
+- Use appropriate expiry durations based on your security requirements.
+- Regularly rotate tokens by updating the `expires_in` field.
+
+## Token Expiry
+
+- The `expires_in` field accepts durations in whole hours only (e.g., `24h`, `168h`).
+- The `limit` field sets the maximum allowed expiry in hours.
+- If the requested expiry exceeds the limit, it will be capped at the limit.
+- Default expiry is 87600 hours (10 years).
+- Default limit is 876000 hours (100 years).

minio/check_config.go

@@ -297,3 +297,38 @@ func ObjectLegalHoldConfig(d *schema.ResourceData, meta interface{}) *S3MinioObj
 		MinioStatus:    getOptionalField(d, "status", "").(string),
 	}
 }
+
+// PrometheusBearerTokenConfig creates configuration for MinIO Prometheus bearer token.
+func PrometheusBearerTokenConfig(d *schema.ResourceData, meta interface{}) *S3MinioPrometheusBearerToken {
+	m := meta.(*S3MinioClient)
+
+	return &S3MinioPrometheusBearerToken{
+		MinioAdmin:     m.S3Admin,
+		MinioAccessKey: m.S3UserAccess,
+		MinioSecretKey: m.S3UserSecret,
+		MetricType:     getOptionalField(d, "metric_type", "cluster").(string),
+		ExpiresIn:      getOptionalField(d, "expires_in", "87600h").(string),
+		Limit:          getOptionalField(d, "limit", 876000).(int),
+	}
+}
+
+// PrometheusScrapeConfig creates configuration for MinIO Prometheus scrape config.
+func PrometheusScrapeConfig(d *schema.ResourceData, meta interface{}) *S3MinioPrometheusScrapeConfig {
+	m := meta.(*S3MinioClient)
+
+	payload := &S3MinioPrometheusScrapeConfig{
+		MinioEndpoint:  m.S3Endpoint,
+		MinioAccessKey: m.S3UserAccess,
+		MinioSecretKey: m.S3UserSecret,
+		UseSSL:         m.S3SSL,
+		MetricType:     getOptionalField(d, "metric_type", "cluster").(string),
+		Alias:          getOptionalField(d, "alias", "").(string),
+		MetricsVersion: getOptionalField(d, "metrics_version", "v3").(string),
+	}
+
+	if val, ok := d.GetOk("bearer_token"); ok {
+		payload.BearerToken = val.(string)
+	}
+
+	return payload
+}