discovery on Grafana Labs

discovery.azure

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.azure`

discovery.azure discovers Azure Virtual Machines and exposes them as targets.

Usage

discovery.azure "<LABEL>" {
}

Arguments

You can use the following arguments with discovery.azure:

Name	Type	Description	Default	Required
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`environment`	`string`	Azure environment.	`"AzurePublicCloud"`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`number`	The port appended to the `__address__` label for each target.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Interval at which to refresh the list of targets.	`"5m"`	no
`subscription_id`	`string`	Azure subscription ID.		no

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_from_environment uses the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO_PROXY. proxy_url and no_proxy must not be configured if proxy_from_environment is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.azure:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

You must specify exactly one of the oauth or managed_identity blocks.

`managed_identity`

The managed_identity block configures Managed Identity authentication for the Azure API.

Name	Type	Description	Default	Required
`client_id`	`string`	Managed Identity client ID.		yes

`oauth`

The oauth block configures OAuth 2.0 authentication for the Azure API.

Name	Type	Description	Required
`client_id`	`string`	OAuth 2.0 client ID.	yes
`client_secret`	`string`	OAuth 2.0 client secret.	yes
`tenant_id`	`string`	OAuth 2.0 tenant ID.	yes

`tls_config`

The tls_config block configures TLS settings for requests to the Azure API.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

When min_version isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If min_version is provided, it must be set to one of the following strings:

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Azure API.

Each target includes the following labels:

__meta_azure_machine_computer_name: The host OS name of the VM.
__meta_azure_machine_id: The UUID of the Azure VM.
__meta_azure_machine_location: The region the VM is in.
__meta_azure_machine_name: The name of the VM.
__meta_azure_machine_os_type: The OS the VM is running, either Linux or Windows.
__meta_azure_machine_private_ip: The private IP address of the VM.
__meta_azure_machine_public_ip: The public IP address of the VM.
__meta_azure_machine_resource_group: The name of the resource group the VM is in.
__meta_azure_machine_scale_set: The name of the scale set the VM is in.
__meta_azure_machine_size: The size of the VM.
__meta_azure_machine_tag_*: A tag on the VM. There is one label per tag.
__meta_azure_subscription_id: The Azure subscription ID.
__meta_azure_tenant_id: The Azure tenant ID.

Each discovered VM maps to a single target. The __address__ label is set to the private_ip:port of the VM if the private IP is an IPv4 address, or [private_ip]:port if the private IP of the VM is an IPv6 address.

Component health

discovery.azure is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.azure doesn’t expose any component-specific debug information.

Debug metrics

discovery.azure doesn’t expose any component-specific debug metrics.

Example

discovery.azure "example" {
  port = 80
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"
  oauth {
      client_id = "<AZURE_CLIENT_ID>"
      client_secret = "<AZURE_CLIENT_SECRET>"
      tenant_id = "<AZURE_TENANT_ID>"
  }
}

prometheus.scrape "demo" {
  targets    = discovery.azure.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<AZURE_SUBSCRIPTION_ID>: Your Azure subscription ID.
<AZURE_CLIENT_ID>: Your Azure client ID.
<AZURE_CLIENT_SECRET>: Your Azure client secret.
<AZURE_TENANT_ID>: Your Azure tenant ID.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.azure has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.consul

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.consul`

discovery.consul allows you to retrieve scrape targets from Consul’s Catalog API.

Usage

discovery.consul "<LABEL>" {
  server = "<CONSUL_SERVER>"
}

Arguments

You can use the following arguments with discovery.consul:

Name	Type	Description	Default	Required
`allow_stale`	`bool`	Allow stale Consul results. Reduces load on Consul. Refer to the Consul documentation for more information.	`true`	no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`datacenter`	`string`	Data center to query. If not provided, the default is used.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`namespace`	`string`	Namespace to use. Only supported in Consul Enterprise.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`node_meta`	`map(string)`	Node metadata key/value pairs to filter nodes for a given service.		no
`partition`	`string`	Admin partition to use. Only supported in Consul Enterprise.		no
`password`	`secret`	The password to use. Deprecated in favor of the `basic_auth` configuration.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to refresh list of containers.	`"30s"`	no
`scheme`	`string`	The scheme to use when talking to Consul.	`"http"`	no
`server`	`string`	Host and port of the Consul API.	`"localhost:8500"`	no
`services`	`list(string)`	A list of services for which targets are retrieved. If omitted, all services are scraped.		no
`tag_separator`	`string`	The string by which Consul tags are joined into the tag label.	`","`	no
`tags`	`list(string)`	An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list.		no
`token`	`secret`	Secret token used to access the Consul API.		no
`username`	`string`	The username to use. Deprecated in favor of the `basic_auth` configuration.		no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.consul:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Consul catalog API.

Each target includes the following labels:

__meta_consul_address: The address of the target.
__meta_consul_metadata_<key>: Each node metadata key value of the target.
__meta_consul_node: The node name defined for the target.
__meta_consul_partition: The administrator partition name where the service is registered.
__meta_consul_service_address: The service address of the target.
__meta_consul_service_id: The service ID of the target.
__meta_consul_service_metadata_<key>: Each service metadata key value of the target.
__meta_consul_service_port: The service port of the target.
__meta_consul_service: The name of the service the target belongs to.
__meta_consul_tagged_address_<key>: Each node tagged address key value of the target.
__meta_consul_tags: The list of tags of the target joined by the tag separator.

Component health

discovery.consul is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.consul doesn’t expose any component-specific debug information.

Debug metrics

discovery.consul doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from Consul for the specified list of services:

discovery.consul "example" {
  server = "localhost:8500"
  services = [
    "service1",
    "service2",
  ]
}

prometheus.scrape "demo" {
  targets    = discovery.consul.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.consul has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.consulagent

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.consulagent`

discovery.consulagent allows you to retrieve scrape targets from Consul’s Agent API. Only the services registered with the local agent running on the same host are watched. This is suitable for very large Consul clusters for which using the Catalog API would be too slow or resource intensive.

Usage

discovery.consulagent "<LABEL>" {
  server = "<CONSUL_SERVER>"
}

Arguments

You can use the following arguments with discovery.consulagent:

Name	Type	Description	Default	Required
`datacenter`	`string`	Data center in which the Consul Agent is configured to run. If not provided, the data center is retrieved from the local Consul Agent.		no
`password`	`secret`	The password to use.		no
`refresh_interval`	`duration`	Frequency to refresh list of containers.	`"30s"`	no
`scheme`	`string`	The scheme to use when talking to the Consul Agent.	`"http"`	no
`server`	`string`	Host and port of the Consul Agent API.	`"localhost:8500"`	no
`services`	`list(string)`	A list of services for which targets are retrieved. If omitted, all services are scraped.		no
`tag_separator`	`string`	The string by which Consul tags are joined into the tag label.	`","`	no
`tags`	`list(string)`	An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list.		no
`token`	`secret`	Secret token used to access the Consul Agent API.		no
`username`	`string`	The username to use.		no

Blocks

You can use the following block with discovery.consulagent:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Consul Agent API.

Each target includes the following labels:

__meta_consulagent_address: The address of the target.
__meta_consulagent_dc: The data center name for the target.
__meta_consulagent_health: The health status of the service.
__meta_consulagent_metadata_<key>: Each node metadata key value of the target.
__meta_consulagent_node: The node name defined for the target.
__meta_consulagent_service_address: The service address of the target.
__meta_consulagent_service_id: The service ID of the target.
__meta_consulagent_service_metadata_<key>: Each service metadata key value of the target.
__meta_consulagent_service_port: The service port of the target.
__meta_consulagent_service: The name of the service the target belongs to.
__meta_consulagent_tagged_address_<key>: Each node tagged address key value of the target.
__meta_consulagent_tags: The list of tags of the target joined by the tag separator.

Component health

discovery.consulagent is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.consulagent doesn’t expose any component-specific debug information.

Debug metrics

discovery_consulagent_rpc_duration_seconds (SummaryVec): The duration of a Consul Agent RPC call in seconds.
discovery_consulagent_rpc_failures_total (Counter): The number of Consul Agent RPC call failures.

Example

This example discovers targets from a Consul Agent for the specified list of services:

discovery.consulagent "example" {
  server = "localhost:8500"
  services = [
    "service1",
    "service2",
  ]
}

prometheus.scrape "demo" {
  targets    = discovery.consulagent.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.consulagent has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.digitalocean

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.digitalocean`

discovery.digitalocean discovers DigitalOcean Droplets and exposes them as targets.

Usage

discovery.digitalocean "<LABEL>" {
    // Use one of:
    // bearer_token      = "<BEARER_TOKEN>"
    // bearer_token_file = "<PATH_TO_BEARER_TOKEN_FILE>"
}

Arguments

You can use the following arguments with discovery.digitalocean:

Name	Type	Description	Default	Required
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`number`	Port to be appended to the `__address__` label for each Droplet.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to refresh list of Droplets.	`"1m"`	no

The DigitalOcean API uses bearer tokens for authentication, see more about it in the DigitalOcean API documentation.

Exactly one of the bearer_token and bearer_token_file arguments must be specified to authenticate against DigitalOcean.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

The discovery.digitalocean component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the DigitalOcean API.

Each target includes the following labels:

__meta_digitalocean_droplet_id: ID of the Droplet.
__meta_digitalocean_droplet_name: Name of the Droplet.
__meta_digitalocean_features: Optional properties configured for the Droplet, such as IPV6 networking, private networking, or backups.
__meta_digitalocean_image_name: Name of the image used to create the Droplet.
__meta_digitalocean_image: The image slug (unique text identifier of the image) used to create the Droplet.
__meta_digitalocean_private_ipv4: The private IPv4 address of the Droplet.
__meta_digitalocean_public_ipv4: The public IPv4 address of the Droplet.
__meta_digitalocean_public_ipv6: The public IPv6 address of the Droplet.
__meta_digitalocean_region: The region the Droplet is running in.
__meta_digitalocean_size: The size of the Droplet.
__meta_digitalocean_status: The current status of the Droplet.
__meta_digitalocean_tags: The tags assigned to the Droplet.
__meta_digitalocean_vpc: The ID of the VPC where the Droplet is located.

Each discovered Droplet maps to one target.

Component health

discovery.digitalocean is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.digitalocean doesn’t expose any component-specific debug information.

Debug metrics

discovery.digitalocean doesn’t expose any component-specific debug metrics.

Example

This would result in targets with __address__ labels like: 192.0.2.1:8080:

discovery.digitalocean "example" {
  port             = 8080
  refresh_interval = "5m"
  bearer_token     = "my-secret-bearer-token"
}

prometheus.scrape "demo" {
  targets    = discovery.digitalocean.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.digitalocean has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.dns

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.dns`

discovery.dns discovers scrape targets from DNS records.

Usage

discovery.dns "<LABEL>" {
  names = ["<NAME_1>", "<NAME_2>", ...]
}

Arguments

You can use the following arguments with discovery.dns:

Name	Type	Description	Default	Required
`names`	`list(string)`	DNS names to look up.		yes
`port`	`number`	Port to use for collecting metrics. Not used for SRV records.	`0`	no
`refresh_interval`	`duration`	How often to query DNS for updates.	`"30s"`	no
`type`	`string`	Type of DNS record to query. Must be one of SRV, A, AAAA, MX, or NS.	`"SRV"`	no

Blocks

The discovery.dns component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following field is exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the DNS records.

Each target includes the following labels:

__meta_dns_mx_record_target: Target field of the MX record.
__meta_dns_name: Name of the record that produced the discovered target.
__meta_dns_ns_record_target: Target field of the NS record.
__meta_dns_srv_record_port: Port field of the SRV record.
__meta_dns_srv_record_target: Target field of the SRV record.

Component health

discovery.dns is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.dns doesn’t expose any component-specific debug information.

Debug metrics

discovery.dns doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from an A record.

discovery.dns "dns_lookup" {
  names = ["myservice.example.com", "myotherservice.example.com"]
  type = "A"
  port = 8080
}

prometheus.scrape "demo" {
  targets    = discovery.dns.dns_lookup.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.dns has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.docker

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.docker`

discovery.docker discovers Docker Engine containers and exposes them as targets.

Usage

discovery.docker "<LABEL>" {
  host = "<DOCKER_ENGINE_HOST>"
}

Arguments

You can use the following arguments with discovery.docker:

Name	Type	Description	Default	Required
`host`	`string`	Address of the Docker Daemon to connect to.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`host_networking_host`	`string`	Host to use if the container is in host networking mode.	`"localhost"`	no
`match_first_network`	`bool`	Match the first network if the container has multiple networks defined, thus avoiding collecting duplicate targets.	`true`	no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`number`	Port to use for collecting metrics when containers don’t have any port mappings.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to refresh list of containers.	`"1m"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.docker:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`filter`

The filter block configures a filter to pass to the Docker Engine to limit the number of containers returned. You can specify the filter block multiple times to provide more than one filter.

Name	Type	Description	Default	Required
`name`	`string`	Filter name to use.		yes
`values`	`list(string)`	Values to pass to the filter.		yes

Refer to List containers from the Docker Engine API documentation for the list of supported filters and their meaning.

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the docker API.

Each target includes the following labels:

__meta_docker_container_id: ID of the container.
__meta_docker_container_label_<labelname>: Each label from the container.
__meta_docker_container_name: Name of the container.
__meta_docker_container_network_mode: Network mode of the container.
__meta_docker_network_id: ID of the Docker network the container is in.
__meta_docker_network_ingress: Set to true if the Docker network is an ingress network.
__meta_docker_network_internal: Set to true if the Docker network is an internal network.
__meta_docker_network_ip: The IP of the container in the network.
__meta_docker_network_label_<labelname>: Each label from the network the container is in.
__meta_docker_network_name: Name of the Docker network the container is in.
__meta_docker_network_scope: The scope of the network the container is in.
__meta_docker_port_private: The private port on the container.
__meta_docker_port_public_ip: The public IP of the container, if a port mapping exists.
__meta_docker_port_public: The publicly exposed port from the container, if a port mapping exists.

Each discovered container maps to one target per unique combination of networks and port mappings used by the container.

Note
Alloy sanitizes Docker label names in __meta_docker_container_label_<labelname> and __meta_docker_network_label_<labelname> to comply with Prometheus label naming requirements. The component converts dots and other non-alphanumeric characters to underscores. Underscores remain unchanged. For example, a Docker label com.example.app.name becomes __meta_docker_container_label_com_example_app_name.

Component health

discovery.docker is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.docker doesn’t expose any component-specific debug information.

Debug metrics

discovery.docker doesn’t expose any component-specific debug metrics.

Examples

Linux or macOS hosts

This example discovers Docker containers when the host machine is macOS or Linux:

discovery.docker "containers" {
  host = "unix:///var/run/docker.sock"
}

prometheus.scrape "demo" {
  targets    = discovery.docker.containers.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Windows hosts

This example discovers Docker containers when the host machine is Windows:

Note
This example requires the “Expose daemon on tcp://localhost:2375 without TLS” setting to be enabled in the Docker Engine settings.

discovery.docker "containers" {
  host = "tcp://localhost:2375"
}

prometheus.scrape "demo" {
  targets    = discovery.docker.containers.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.docker has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.dockerswarm

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.dockerswarm`

discovery.dockerswarm allows you to retrieve scrape targets from Docker Swarm.

Usage

discovery.dockerswarm "<LABEL>" {
  host = "<DOCKER_DAEMON_HOST>"
  role = "<SWARM_ROLE>"
}

Arguments

You can use the following arguments with discovery.dockerswarm:

Name	Type	Description	Default	Required
`host`	`string`	Address of the Docker daemon.		yes
`role`	`string`	Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`number`	The port to scrape metrics from, when `role` is nodes, and for discovered tasks and services that don’t have published ports.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Interval at which to refresh the list of targets.	`"60s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.dockerswarm:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`filter`

The filter block limits the discovery process to a subset of available resources. You can define multiple filter blocks within the discovery.dockerswarm block. The list of available filters depends on the role:

You can use the following arguments to configure a filter.

Name	Type	Description	Default	Required
`name`	`string`	Name of the filter.		yes
`values`	`list(string)`	List of values associated with the filter.		yes

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from Swarm.

Roles

The role attribute decides the role of the targets to retrieve.

`services`

The services role discovers all Swarm services and exposes their ports as targets. For each published port of a service, a single target is generated. If a service has no published ports, a target per service is created using the port attribute defined in the arguments.

Available meta labels:

__meta_dockerswarm_network_id: The ID of the network.
__meta_dockerswarm_network_ingress: Whether the network is ingress.
__meta_dockerswarm_network_internal: Whether the network is internal.
__meta_dockerswarm_network_label_<labelname>: Each label of the network.
__meta_dockerswarm_network_name: The name of the network.
__meta_dockerswarm_network_scope: The scope of the network.
__meta_dockerswarm_service_endpoint_port_name: The name of the endpoint port, if available.
__meta_dockerswarm_service_endpoint_port_publish_mode: The publish mode of the endpoint port.
__meta_dockerswarm_service_id: The ID of the service.
__meta_dockerswarm_service_label_<labelname>: Each label of the service.
__meta_dockerswarm_service_mode: The mode of the service.
__meta_dockerswarm_service_name: The name of the service.
__meta_dockerswarm_service_task_container_hostname: The container hostname of the target, if available.
__meta_dockerswarm_service_task_container_image: The container image of the target.
__meta_dockerswarm_service_updating_status: The status of the service, if available.

`tasks`

The tasks role discovers all Swarm tasks and exposes their ports as targets. For each published port of a task, a single target is generated. If a task has no published ports, a target per task is created using the port attribute defined in the arguments.

Available meta labels:

__meta_dockerswarm_container_label_<labelname>: Each label of the container.
__meta_dockerswarm_network_id: The ID of the network.
__meta_dockerswarm_network_ingress: Whether the network is ingress.
__meta_dockerswarm_network_internal: Whether the network is internal.
__meta_dockerswarm_network_label_<labelname>: Each label of the network.
__meta_dockerswarm_network_label: Each label of the network.
__meta_dockerswarm_network_name: The name of the network.
__meta_dockerswarm_network_scope: The scope of the network.
__meta_dockerswarm_node_address: The address of the node.
__meta_dockerswarm_node_availability: The availability of the node.
__meta_dockerswarm_node_hostname: The hostname of the node.
__meta_dockerswarm_node_id: The ID of the node.
__meta_dockerswarm_node_label_<labelname>: Each label of the node.
__meta_dockerswarm_node_platform_architecture: The architecture of the node.
__meta_dockerswarm_node_platform_os: The operating system of the node.
__meta_dockerswarm_node_role: The role of the node.
__meta_dockerswarm_node_status: The status of the node.
__meta_dockerswarm_service_id: The ID of the service.
__meta_dockerswarm_service_label_<labelname>: Each label of the service.
__meta_dockerswarm_service_mode: The mode of the service.
__meta_dockerswarm_service_name: The name of the service.
__meta_dockerswarm_task_container_id: The container ID of the task.
__meta_dockerswarm_task_desired_state: The desired state of the task.
__meta_dockerswarm_task_id: The ID of the task.
__meta_dockerswarm_task_port_publish_mode: The publish mode of the task port.
__meta_dockerswarm_task_slot: The slot of the task.
__meta_dockerswarm_task_state: The state of the task.

The __meta_dockerswarm_network_* meta labels aren’t populated for ports which are published with mode=host.

`nodes`

The nodes role is used to discover Swarm nodes.

Available meta labels:

__meta_dockerswarm_node_address: The address of the node.
__meta_dockerswarm_node_availability: The availability of the node.
__meta_dockerswarm_node_engine_version: The version of the node engine.
__meta_dockerswarm_node_hostname: The hostname of the node.
__meta_dockerswarm_node_id: The ID of the node.
__meta_dockerswarm_node_label_<labelname>: Each label of the node.
__meta_dockerswarm_node_manager_address: The address of the manager component of the node.
__meta_dockerswarm_node_manager_leader: The leadership status of the manager component of the node (true or false).
__meta_dockerswarm_node_manager_reachability: The reachability of the manager component of the node.
__meta_dockerswarm_node_platform_architecture: The architecture of the node.
__meta_dockerswarm_node_platform_os: The operating system of the node.
__meta_dockerswarm_node_role: The role of the node.
__meta_dockerswarm_node_status: The status of the node.

Component health

discovery.dockerswarm is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.dockerswarm doesn’t expose any component-specific debug information.

Debug metrics

discovery.dockerswarm doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from Docker Swarm tasks:

discovery.dockerswarm "example" {
  host = "unix:///var/run/docker.sock"
  role = "tasks"

  filter {
    name = "id"
    values = ["0kzzo1i0y4jz6027t0k7aezc7"]
  }

  filter {
    name = "desired-state"
    values = ["running", "accepted"]
  }
}

prometheus.scrape "demo" {
  targets    = discovery.dockerswarm.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.dockerswarm has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.ec2

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.ec2`

discovery.ec2 lets you retrieve scrape targets from EC2 instances. The private IP address is used by default, but you can change it to the public IP address using relabeling.

The IAM credentials used must have the ec2:DescribeInstances permission to discover scrape targets, and may optionally have the ec2:DescribeAvailabilityZones permission to make the availability zone ID available as a label.

Usage

discovery.ec2 "<LABEL>" {
}

Arguments

You can use the following arguments with discovery.ec2:

Name	Type	Description	Default	Required
`access_key`	`string`	The AWS API key ID. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used.		no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`endpoint`	`string`	Custom endpoint to be used.		no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.	`80`	no
`profile`	`string`	Named AWS profile used to connect to the API.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Refresh interval to re-read the instance list.	`"60s"`	no
`region`	`string`	The AWS region. If blank, the region from the instance metadata is used.		no
`role_arn`	`string`	AWS Role Amazon Resource Name (ARN), an alternative to using AWS API keys.		no
`secret_key`	`string`	The AWS API key secret. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used.		no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.ec2:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`filter`

The filter block filters the instance list by other criteria. Refer to the Amazon EC2 documentation for more information about filters.

Name	Type	Description	Default	Required
`name`	`string`	Filter name to use.		yes
`values`	`list(string)`	Values to pass to the filter.		yes

Refer to the Filter API AWS EC2 documentation for the list of supported filters and their descriptions.

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of discovered EC2 targets.

Each target includes the following labels:

__meta_ec2_ami: The EC2 Amazon Machine Image.
__meta_ec2_architecture: The architecture of the instance.
__meta_ec2_availability_zone_id: The availability zone ID in which the instance is running. Requires ec2:DescribeAvailabilityZones.
__meta_ec2_availability_zone: The availability zone in which the instance is running.
__meta_ec2_instance_id: The EC2 instance ID.
__meta_ec2_instance_lifecycle: The lifecycle of the EC2 instance, set only for ‘spot’ or ‘scheduled’ instances, absent otherwise.
__meta_ec2_instance_state: The state of the EC2 instance.
__meta_ec2_instance_type: The type of the EC2 instance.
__meta_ec2_ipv6_addresses: Comma-separated list of IPv6 addresses assigned to the instance’s network interfaces, if present.
__meta_ec2_owner_id: The ID of the AWS account that owns the EC2 instance.
__meta_ec2_platform: The Operating System platform, set to ‘windows’ on Windows servers, absent otherwise.
__meta_ec2_primary_ipv6_addresses: Comma separated list of the Primary IPv6 addresses of the instance, if present. The list is ordered based on the position of each corresponding network interface in the attachment order.
__meta_ec2_primary_subnet_id: The subnet ID of the primary network interface, if available.
__meta_ec2_private_dns_name: The private DNS name of the instance, if available.
__meta_ec2_private_ip: The private IP address of the instance, if present.
__meta_ec2_public_dns_name: The public DNS name of the instance, if available.
__meta_ec2_public_ip: The public IP address of the instance, if available.
__meta_ec2_region: The region of the instance.
__meta_ec2_subnet_id: Comma-separated list of subnets IDs in which the instance is running, if available.
__meta_ec2_tag_<tagkey>: Each tag value of the instance.
__meta_ec2_vpc_id: The ID of the VPC in which the instance is running, if available.

Component health

discovery.ec2 is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.ec2 doesn’t expose any component-specific debug information.

Debug metrics

discovery.ec2 doesn’t expose any component-specific debug metrics.

Example

discovery.ec2 "ec2" {
  region = "us-east-1"
}

prometheus.scrape "demo" {
  targets    = discovery.ec2.ec2.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.ec2 has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.eureka

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.eureka`

discovery.eureka discovers instances in a Eureka Registry and exposes them as targets.

Usage

discovery.eureka "<LABEL>" {
    server = "<SERVER>"
}

Arguments

You can use the following arguments with discovery.eureka:

Name	Type	Description	Default	Required
`server`	`string`	Eureka server URL.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Interval at which to refresh the list of targets.	`"30s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.eureka:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Eureka API.

Each target includes the following labels:

__meta_eureka_app_instance_country_id
__meta_eureka_app_instance_datacenterinfo_metadata_
__meta_eureka_app_instance_datacenterinfo_name
__meta_eureka_app_instance_healthcheck_url
__meta_eureka_app_instance_homepage_url
__meta_eureka_app_instance_hostname
__meta_eureka_app_instance_id
__meta_eureka_app_instance_ip_addr
__meta_eureka_app_instance_metadata_
__meta_eureka_app_instance_port_enabled
__meta_eureka_app_instance_port
__meta_eureka_app_instance_secure_port_enabled
__meta_eureka_app_instance_secure_port
__meta_eureka_app_instance_secure_vip_address
__meta_eureka_app_instance_status
__meta_eureka_app_instance_statuspage_url
__meta_eureka_app_instance_vip_address
__meta_eureka_app_name

Component health

discovery.eureka is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.eureka doesn’t expose any component-specific debug information.

Debug metrics

discovery.eureka doesn’t expose any component-specific debug metrics.

Example

discovery.eureka "example" {
    server = "https://eureka.example.com/eureka/v1"
}

prometheus.scrape "demo" {
  targets    = discovery.eureka.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.eureka has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.file

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.file`

discovery.file discovers targets from a set of files, similar to the Prometheus file_sd_config.

Usage

discovery.file "<LABEL>" {
  files = ["<FILE_PATH_1>", "<FILE_PATH_2>", ...]
}

Arguments

You can use the following arguments with discovery.file:

Name	Type	Description	Default	Required
`files`	`list(string)`	Files to read and discover targets from.		yes
`refresh_interval`	`duration`	How often to sync targets.	`"5m"`	no

The last path segment of each element in files may contain a single * that matches any character sequence, for example, my/path/tg_*.json.

Blocks

The discovery.file component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the filesystem.

Each target includes the following labels:

__meta_filepath: The absolute path to the file the target was discovered from.

Component health

discovery.file is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.file doesn’t expose any component-specific debug information.

Debug metrics

discovery.file doesn’t expose any component-specific debug metrics.

Examples

The following examples show you how to configure the discovery.file component.

Example target files

[
  {
    "targets": [ "127.0.0.1:9091", "127.0.0.1:9092" ],
    "labels": {
      "environment": "dev"
    }
  },
  {
    "targets": [ "127.0.0.1:9093" ],
    "labels": {
      "environment": "prod"
    }
  }
]

- targets:
  - 127.0.0.1:9999
  - 127.0.0.1:10101
  labels:
    job: worker
- targets:
  - 127.0.0.1:9090
  labels:
    job: prometheus

Basic file discovery

This example discovers targets from a single file, scrapes them, and writes metrics to a Prometheus remote write endpoint.

discovery.file "example" {
  files = ["/tmp/example.json"]
}

prometheus.scrape "default" {
  targets    = discovery.file.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

File discovery with retained file path label

This example discovers targets from a wildcard file path, scrapes them, and writes metrics to a Prometheus remote write endpoint.

It also uses a relabeling rule to retain the file path as a label on each target.

discovery.file "example" {
  files = ["/tmp/example_*.yaml"]
}

discovery.relabel "keep_filepath" {
  targets = discovery.file.example.targets
  rule {
    source_labels = ["__meta_filepath"]
    target_label = "filepath"
  }
}

prometheus.scrape "default" {
  targets    = discovery.relabel.keep_filepath.output
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = <PROMETHEUS_REMOTE_WRITE_URL>

    basic_auth {
      username = <USERNAME>
      password = <PASSWORD>
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.file has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.gce

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.gce`

discovery.gce allows you to retrieve scrape targets from Google Compute Engine (GCE) instances. The private IP address is used by default, but may be changed to the public IP address with relabeling.

Credentials are discovered by the Google Cloud SDK default client by looking in the following places, preferring the first location found:

A JSON file specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.
A JSON file in the well-known path $HOME/.config/gcloud/application_default_credentials.json.
Fetched from the GCE metadata server.

If Alloy is running within GCE, the service account associated with the instance it’s running on should have at least read-only permissions to the compute resources. If running outside of GCE make sure to create an appropriate service account and place the credential file in one of the expected locations.

Usage

discovery.gce "<LABEL>" {
  project = "<PROJECT_NAME>"
  zone    = "<ZONE_NAME>"
}

Arguments

You can use the following arguments with discovery.gce:

Name	Type	Description	Default	Required
`project`	`string`	The Google Cloud Platform Project.		yes
`zone`	`string`	The zone of the scrape targets.		yes
`filter`	`string`	Filter can be used optionally to filter the instance list by other criteria.		no
`port`	`int`	The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.	`80`	no
`refresh_interval`	`duration`	Refresh interval to re-read the instance list.	`"60s"`	no
`tag_separator`	`string`	The tag separator is used to separate the tags on concatenation.	`","`	no

For more information on the syntax of the filter argument, refer to Google’s filter documentation for Method: instances.list.

Blocks

The discovery.gce component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of discovered GCE targets.

Each target includes the following labels:

__meta_gce_instance_id: The numeric ID of the instance.
__meta_gce_instance_name: The name of the instance.
__meta_gce_interface_ipv4_NAME: The IPv4 address of each named interface.
__meta_gce_label_LABEL_NAME: Each GCE label of the instance.
__meta_gce_machine_type: The full or partial URL of the machine type of the instance.
__meta_gce_metadata_NAME: Each metadata item of the instance.
__meta_gce_network: The network URL of the instance.
__meta_gce_private_ip: The private IP address of the instance.
__meta_gce_project: The GCP project in which the instance is running.
__meta_gce_public_ip: The public IP address of the instance, if present.
__meta_gce_subnetwork: The subnetwork URL of the instance.
__meta_gce_tags: A comma separated list of instance tags.
__meta_gce_zone: The GCE zone URL in which the instance is running.

Component health

discovery.gce is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.gce doesn’t expose any component-specific debug information.

Debug metrics

discovery.gce doesn’t expose any component-specific debug metrics.

Example

discovery.gce "gce" {
  project = "alloy"
  zone    = "us-east1-a"
}

prometheus.scrape "demo" {
  targets    = discovery.gce.gce.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.gce has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.hetzner

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.hetzner`

discovery.hetzner allows retrieving scrape targets from Hetzner Cloud API and Robot API. This service discovery uses the public IPv4 address by default, but that can be changed with relabeling.

Usage

discovery.hetzner "<LABEL>" {
  role = "<HETZNER_ROLE>"
}

Arguments

You can use the following arguments with discovery.hetzner:

Name	Type	Description	Default	Required
`role`	`string`	Hetzner role of entities that should be discovered.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	The port to scrape metrics from.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	The time after which the servers are refreshed.	`"60s"`	no

role must be one of robot or hcloud.

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.hetzner:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Hetzner catalog API.

Each target includes the following labels:

__meta_hetzner_datacenter: The data center of the server
__meta_hetzner_public_ipv4: The public IPv4 address of the server.
__meta_hetzner_public_ipv6_network: The public IPv6 network (/64) of the server.
__meta_hetzner_server_id: The ID of the server.
__meta_hetzner_server_name: The name of the server.
__meta_hetzner_server_status: The status of the server.

`hcloud`

The labels below are only available for targets with role set to hcloud:

__meta_hetzner_hcloud_cpu_cores: The CPU cores count of the server.
__meta_hetzner_hcloud_cpu_type: The CPU type of the server (shared or dedicated).
__meta_hetzner_hcloud_datacenter_location_network_zone: The network zone of the server.
__meta_hetzner_hcloud_datacenter_location: The location of the server.
__meta_hetzner_hcloud_disk_size_gb: The disk size of the server (in GB).
__meta_hetzner_hcloud_image_description: The description of the server image.
__meta_hetzner_hcloud_image_name: The image name of the server.
__meta_hetzner_hcloud_image_os_flavor: The OS flavor of the server image.
__meta_hetzner_hcloud_image_os_version: The OS version of the server image.
__meta_hetzner_hcloud_label_<labelname>: Each label of the server.
__meta_hetzner_hcloud_labelpresent_<labelname>: true for each label of the server.
__meta_hetzner_hcloud_memory_size_gb: The amount of memory of the server (in GB).
__meta_hetzner_hcloud_private_ipv4_<networkname>: The private IPv4 address of the server within a given network.
__meta_hetzner_hcloud_server_type: The type of the server.

`robot`

The labels below are only available for targets with role set to robot:

__meta_hetzner_robot_cancelled: The server cancellation status.
__meta_hetzner_robot_product: The product of the server.

Component health

discovery.hetzner is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.hetzner doesn’t expose any component-specific debug information.

Debug metrics

discovery.hetzner doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from Hetzner:

discovery.hetzner "example" {
  role = "<HETZNER_ROLE>"
}

prometheus.scrape "demo" {
  targets    = discovery.hetzner.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<HETZNER_ROLE>: The role of the entities that should be discovered.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.hetzner has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.http

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.http`

discovery.http provides a flexible way to define targets by querying an external http endpoint.

It fetches targets from an HTTP endpoint containing a list of zero or more target definitions. The target must reply with an HTTP 200 response. The HTTP header Content-Type must be application/json, and the body must be valid JSON.

Example response body:

[
  {
    "targets": [ "<HOST>", ... ],
    "labels": {
      "<labelname>": "<LABELVALUE>", ...
    }
  },
  ...
]

It’s possible to use additional fields in the JSON to pass parameters to prometheus.scrape such as the metricsPath and scrape_interval.

The following example provides a target with a custom metricsPath, scrape interval, and timeout value:

[
   {
      "labels" : {
         "__metrics_path__" : "/api/prometheus",
         "__scheme__" : "https",
         "__scrape_interval__" : "60s",
         "__scrape_timeout__" : "10s",
         "service" : "custom-api-service"
      },
      "targets" : [
         "custom-api:443"
      ]
   },
]

It’s also possible to append query parameters to the metrics path with the __param_<name> syntax.

The following example calls the metrics path /health?target_data=prometheus:

[
   {
      "labels" : {
         "__metrics_path__" : "/health",
         "__scheme__" : "https",
         "__scrape_interval__" : "60s",
         "__scrape_timeout__" : "10s",
         "__param_target_data": "prometheus",
         "service" : "custom-api-service"
      },
      "targets" : [
         "custom-api:443"
      ]
   },
]

For more information on the potential labels you can use, refer to the prometheus.scrape technical details section, or the Prometheus Configuration documentation.

Usage

discovery.http "<LABEL>" {
  url = "<URL>"
}

Arguments

You can use the following arguments with discovery.http:

Name	Type	Description	Default	Required
`url`	`string`	URL to scrape.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	How often to refresh targets.	`"60s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.http:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the filesystem.

Each target includes the following labels:

__meta_url: URL the target was obtained from.

Component health

discovery.http is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.http doesn’t expose any component-specific debug information.

Debug metrics

prometheus_sd_http_failures_total (counter): Total number of refresh failures.

Examples

This example queries a URL every 15 seconds and exposes the targets that it finds:

discovery.http "dynamic_targets" {
  url = "https://example.com/scrape_targets"
  refresh_interval = "15s"
}

Compatible components

discovery.http has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.ionos

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.ionos`

discovery.ionos allows you to retrieve scrape targets from IONOS Cloud API.

Usage

discovery.ionos "<LABEL>" {
    datacenter_id = "<DATACENTER_ID>"
}

Arguments

You can use the following arguments with discovery.ionos:

Name	Type	Description	Default	Required
`datacenter_id`	`string`	The unique ID of the data center.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	The port to scrape metrics from.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	The time after which the servers are refreshed.	`"60s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.ionos:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the IONOS Cloud API.

Each target includes the following labels:

__meta_ionos_server_availability_zone: The availability zone of the server.
__meta_ionos_server_boot_cdrom_id: The ID of the CD-ROM the server is booted from.
__meta_ionos_server_boot_image_id: The ID of the boot image or snapshot the server is booted from.
__meta_ionos_server_boot_volume_id: The ID of the boot volume.
__meta_ionos_server_cpu_family: The CPU family of the server to.
__meta_ionos_server_id: The ID of the server.
__meta_ionos_server_ip: A comma separated list of all IP addresses assigned to the server.
__meta_ionos_server_lifecycle: The lifecycle state of the server resource.
__meta_ionos_server_name: The name of the server.
__meta_ionos_server_nic_ip_<nic_name>: A comma separated list of IP addresses, grouped by the name of each NIC attached to the server.
__meta_ionos_server_servers_id: The ID of the servers the server belongs to.
__meta_ionos_server_state: The execution state of the server.
__meta_ionos_server_type: The type of the server.

Component health

discovery.ionos is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.ionos doesn’t expose any component-specific debug information.

Debug metrics

discovery.ionos doesn’t expose any component-specific debug metrics.

Example

discovery.ionos "example" {
    datacenter_id = "15f67991-0f51-4efc-a8ad-ef1fb31a480c"
}

prometheus.scrape "demo" {
  targets    = discovery.ionos.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.ionos has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.kubelet

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.kubelet`

discovery.kubelet discovers Kubernetes Pods running on the specified Kubelet and exposes them as scrape targets.

Usage

discovery.kubelet "LABEL" {
}

Requirements

The Kubelet must be reachable from the alloy Pod network.
Follow the Kubelet authorization documentation to configure authentication to the Kubelet API.

Arguments

You can use the following arguments with discovery.kubelet:

Name	Type	Description	Default	Required
`url`	`string`	URL of the Kubelet server.	`"https://localhost:10250"`	no
`refresh_interval`	`duration`	How often the Kubelet should be polled for scrape targets.	`"5s"`	no
`namespaces`	`list(string)`	A list of namespaces to extract target Pods from.		no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no

The namespaces list limits the namespaces to discover resources in. If omitted, all namespaces are searched.

discovery.kubelet appends a /pods path to url to request the available Pods. You can have additional paths in the url. For example, if url is https://kubernetes.default.svc.cluster.local:443/api/v1/nodes/cluster-node-1/proxy, then discovery.kubelet sends a request on https://kubernetes.default.svc.cluster.local:443/api/v1/nodes/cluster-node-1/proxy/pods

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.kubelet:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Kubelet API.

Each target includes the following labels:

__address__: The target address to scrape derived from the Pod IP and container port.
__meta_kubernetes_namespace: The namespace of the Pod object.
__meta_kubernetes_pod_name: The name of the Pod object.
__meta_kubernetes_pod_ip: The Pod IP of the Pod object.
__meta_kubernetes_pod_label_<labelname>: Each label from the Pod object.
__meta_kubernetes_pod_labelpresent_<labelname>: true for each label from the Pod object.
__meta_kubernetes_pod_annotation_<annotationname>: Each annotation from the Pod object.
__meta_kubernetes_pod_annotationpresent_<annotationname>: true for each annotation from the Pod object.
__meta_kubernetes_pod_container_init: true if the container is an InitContainer.
__meta_kubernetes_pod_container_name: Name of the container the target address points to.
__meta_kubernetes_pod_container_id: ID of the container the target address points to. The ID is in the form <type>://<container_id>.
__meta_kubernetes_pod_container_image: The image the container is using.
__meta_kubernetes_pod_container_port_name: Name of the container port.
__meta_kubernetes_pod_container_port_number: Number of the container port.
__meta_kubernetes_pod_container_port_protocol: Protocol of the container port.
__meta_kubernetes_pod_ready: Set to true or false for the Pod’s ready state.
__meta_kubernetes_pod_phase: Set to Pending, Running, Succeeded, Failed or Unknown in the lifecycle.
__meta_kubernetes_pod_node_name: The name of the node the Pod is scheduled onto.
__meta_kubernetes_pod_host_ip: The current host IP of the Pod object.
__meta_kubernetes_pod_uid: The UID of the Pod object.
__meta_kubernetes_pod_controller_kind: Object kind of the Pod controller.
__meta_kubernetes_pod_controller_name: Name of the Pod controller.

Note
The Kubelet API used by this component is an internal API and therefore the data in the response returned from the API can’t be guaranteed between different versions of the Kubelet.

Component health

discovery.kubelet is reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.kubelet doesn’t expose any component-specific debug information.

Debug metrics

discovery.kubelet doesn’t expose any component-specific debug metrics.

Examples

Bearer token file authentication

This example uses a bearer token file to authenticate to the Kubelet API:

discovery.kubelet "k8s_pods" {
  bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
}

prometheus.scrape "demo" {
  targets    = discovery.kubelet.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Limit searched namespaces

This example limits the namespaces where Pods are discovered using the namespaces argument:

discovery.kubelet "k8s_pods" {
  bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
  namespaces = ["default", "kube-system"]
}

prometheus.scrape "demo" {
  targets    = discovery.kubelet.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = ">PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.kubelet has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.kubernetes

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.kubernetes`

discovery.kubernetes allows you to find scrape targets from Kubernetes resources. It watches cluster state and ensures targets are continually synced with what’s running in your cluster.

If you supply no connection information, this component defaults to an in-cluster configuration. You can use a kubeconfig file or manual connection settings to override the defaults.

Performance considerations

By default, discovery.kubernetes discovers resources across all namespaces in your cluster.

Caution
In DaemonSet deployments, each Alloy Pod discovers and watches all resources across the cluster by default. This can significantly increase API server load and memory usage, and may cause API throttling on managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), or Google Kubernetes Engine (GKE).

For better performance and reduced API load:

Use the namespaces block to limit discovery to specific namespaces.
Use selectors to filter resources by labels or fields.
Consider the node-local example in Limit to only Pods on the same node.
Use discovery.kubelet for DaemonSet deployments to discover only Pods on the local node.
Use clustering mode for larger deployments to distribute the discovery load.
Monitor API server metrics like request rate, throttling, and memory usage, especially on managed clusters.

Usage

discovery.kubernetes "<LABEL>" {
  role = "<DISCOVERY_ROLE>"
}

Arguments

You can use the following arguments with discovery.kubernetes:

Name	Type	Description	Default	Required
`role`	`string`	Type of Kubernetes resource to query.		yes
`api_server`	`string`	URL of Kubernetes API server.		no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Support HTTP2 for requests.	`true`	no
`follow_redirects`	`bool`	Follow redirects returned by the server.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to send with each request. The map key is the header name.		no
`kubeconfig_file`	`string`	Path of `kubeconfig` file to use for connecting to Kubernetes.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no

You can provide at most one of the following:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

The role argument specifies the type of targets to discover. role must be one of node, pod, service, endpoints, endpointslice, or ingress.

`node` role

The node role discovers one target per cluster node with the address defaulting to the HTTP port of the kubelet daemon. The target address defaults to the first address of the Kubernetes node object in the address type order of NodeInternalIP, NodeExternalIP, NodeLegacyHostIP, and NodeHostName.

Discovered nodes include the following labels:

__meta_kubernetes_node_address_<address_type>: The first address for each node address type, if it exists.
__meta_kubernetes_node_annotation_<annotationname>: Each annotation from the node object.
__meta_kubernetes_node_annotationpresent_<annotationname>: Set to true for each annotation from the node object.
__meta_kubernetes_node_label_<labelname>: Each label from the node object.
__meta_kubernetes_node_labelpresent_<labelname>: Set to true for each label from the node object.
__meta_kubernetes_node_name: The name of the node object.
__meta_kubernetes_node_provider_id: The cloud provider’s name for the node object.

In addition, the component sets the instance label for the node to the node name retrieved from the API server.

`service` role

The service role discovers a target for each port of each service. This is generally useful for externally monitoring a service. The component sets the address to the Kubernetes DNS name of the service and respective service port.

Discovered services include the following labels:

__meta_kubernetes_namespace: The namespace of the service object.
__meta_kubernetes_service_annotation_<annotationname>: Each annotation from the service object.
__meta_kubernetes_service_annotationpresent_<annotationname>: true for each annotation of the service object.
__meta_kubernetes_service_cluster_ip: The cluster IP address of the service. This doesn’t apply to services of type ExternalName.
__meta_kubernetes_service_external_name: The DNS name of the service. This only applies to services of type ExternalName.
__meta_kubernetes_service_label_<labelname>: Each label from the service object.
__meta_kubernetes_service_labelpresent_<labelname>: true for each label of the service object.
__meta_kubernetes_service_name: The name of the service object.
__meta_kubernetes_service_port_name: Name of the service port for the target.
__meta_kubernetes_service_port_number: Number of the service port for the target.
__meta_kubernetes_service_port_protocol: Protocol of the service port for the target.
__meta_kubernetes_service_type: The type of the service.

`pod` role

The pod role discovers all Pods and exposes their containers as targets. The component generates a single target for each declared port of a container.

If a container has no specified ports, the component creates a port-free target per container. You must manually inject a port using a discovery.relabel component before you can collect metrics from these targets.

Discovered Pods include the following labels:

__meta_kubernetes_namespace: The namespace of the Pod object.
__meta_kubernetes_pod_annotation_<annotationname>: Each annotation from the Pod object.
__meta_kubernetes_pod_annotationpresent_<annotationname>: true for each annotation from the Pod object.
__meta_kubernetes_pod_container_id: ID of the container the target address points to. The ID is in the form <type>://<container_id>.
__meta_kubernetes_pod_container_image: The container image.
__meta_kubernetes_pod_container_init: true if the container is an InitContainer.
__meta_kubernetes_pod_container_name: Name of the container the target address points to.
__meta_kubernetes_pod_container_port_name: Name of the container port.
__meta_kubernetes_pod_container_port_number: Number of the container port.
__meta_kubernetes_pod_container_port_protocol: Protocol of the container port.
__meta_kubernetes_pod_controller_kind: Object kind of the Pod controller.
__meta_kubernetes_pod_controller_name: Name of the Pod controller.
__meta_kubernetes_pod_host_ip: The current host IP of the Pod object.
__meta_kubernetes_pod_ip: The Pod IP of the Pod object.
__meta_kubernetes_pod_label_<labelname>: Each label from the Pod object.
__meta_kubernetes_pod_labelpresent_<labelname>: true for each label from the Pod object.
__meta_kubernetes_pod_name: The name of the Pod object.
__meta_kubernetes_pod_node_name: The name of the node where the Pod runs.
__meta_kubernetes_pod_phase: Set to Pending, Running, Succeeded, Failed, or Unknown in the lifecycle.
__meta_kubernetes_pod_ready: Set to true or false for the Pod’s ready state.
__meta_kubernetes_pod_uid: The UID of the Pod object.

`endpoints` role

The endpoints role discovers targets from listed endpoints of a service. The component discovers one target per port for each endpoint address. If a Pod backs the endpoint, the component discovers all container ports of the Pod as targets even if they aren’t bound to an endpoint port.

Warning
The Endpoints API is deprecated in Kubernetes v1.33+. Use the EndpointSlice API instead, and switch to the endpointslice role below.

Discovered endpoints include the following labels:

__meta_kubernetes_endpoints_label_<labelname>: Each label from the endpoints object.
__meta_kubernetes_endpoints_labelpresent_<labelname>: true for each label from the endpoints object.
__meta_kubernetes_endpoints_name: The name of the endpoints object.
__meta_kubernetes_namespace: The namespace of the endpoints object.
The component attaches the following labels to all targets discovered directly from the endpoints list:
- __meta_kubernetes_endpoint_address_target_kind: Kind of the endpoint address target.
- __meta_kubernetes_endpoint_address_target_name: Name of the endpoint address target.
- __meta_kubernetes_endpoint_hostname: Hostname of the endpoint.
- __meta_kubernetes_endpoint_node_name: Name of the node hosting the endpoint.
- __meta_kubernetes_endpoint_port_name: Name of the endpoint port.
- __meta_kubernetes_endpoint_port_protocol: Protocol of the endpoint port.
- __meta_kubernetes_endpoint_ready: Set to true or false for the endpoint’s ready state.
If the endpoints belong to a service, all labels of the service role discovery are also included.
If a Pod backs the target, all labels of the pod role discovery are also included.

`endpointslice` role

The endpointslice role discovers targets from Kubernetes endpoint slices. The component discovers one target for each endpoint address referenced in the EndpointSlice object. If a Pod backs the endpoint, the component discovers all container ports of the Pod as targets even if they’re not bound to an endpoint port.

Discovered endpoint slices include the following labels:

__meta_kubernetes_endpointslice_name: The name of the endpoint slice object.
__meta_kubernetes_namespace: The namespace of the endpoints object.
The component attaches the following labels to all targets discovered directly from the endpoint slice list:
- __meta_kubernetes_endpointslice_address_target_kind: Kind of the referenced object.
- __meta_kubernetes_endpointslice_address_target_name: Name of the referenced object.
- __meta_kubernetes_endpointslice_address_type: The IP protocol family of the target address.
- __meta_kubernetes_endpointslice_endpoint_conditions_ready: Set to true or false for the referenced endpoint’s ready state.
- __meta_kubernetes_endpointslice_endpoint_topology_kubernetes_io_hostname: Name of the node hosting the referenced endpoint.
- __meta_kubernetes_endpointslice_endpoint_topology_present_kubernetes_io_hostname: true if the referenced object has a kubernetes.io/hostname annotation.
- __meta_kubernetes_endpointslice_endpoint_hostname: Hostname of the referenced endpoint.
- __meta_kubernetes_endpointslice_endpoint_node_name: Name of the node hosting the referenced endpoint.
- __meta_kubernetes_endpointslice_endpoint_zone: The zone where the referenced endpoint exists. Only available when using the discovery.k8s.io/v1 API group.
- __meta_kubernetes_endpointslice_port_name: Name of the port for the referenced endpoint.
- __meta_kubernetes_endpointslice_port_protocol: Protocol of the referenced endpoint.
- __meta_kubernetes_endpointslice_port: Port of the referenced endpoint.
If the endpoints belong to a service, all labels of the service role discovery are also included.
If a Pod backs the target, all labels of the pod role discovery are also included.

`ingress` role

The ingress role discovers a target for each path of each ingress. This is generally useful for externally monitoring an ingress. The component sets the address to the host specified in the Kubernetes Ingress’s spec block.

Discovered ingress objects include the following labels:

__meta_kubernetes_ingress_annotation_<annotationname>: Each annotation from the ingress object.
__meta_kubernetes_ingress_annotationpresent_<annotationname>: true for each annotation from the ingress object.
__meta_kubernetes_ingress_class_name: Class name from ingress spec, if present.
__meta_kubernetes_ingress_label_<labelname>: Each label from the ingress object.
__meta_kubernetes_ingress_labelpresent_<labelname>: true for each label from the ingress object.
__meta_kubernetes_ingress_name: The name of the ingress object.
__meta_kubernetes_ingress_path: Path from ingress spec. Defaults to /.
__meta_kubernetes_ingress_scheme: Protocol scheme of ingress, https when using TLS. Defaults to http.
__meta_kubernetes_namespace: The namespace of the ingress object.

Blocks

You can use the following blocks with discovery.kubernetes:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`attach_metadata`

The attach_metadata block allows you to attach node metadata to discovered targets.

Name	Type	Description	Default	Required
`node`	`bool`	Attach node metadata. Valid for the `pod`, `endpoints`, and `endpointslice` roles. Requires permissions to list/watch Nodes.		no
`namespace`	`bool`	Attach namespace metadata. Valid for the `pod`, `endpoints`, `endpointslice`, `service`, and `ingress` roles. Requires permissions to list/watch Namespaces.		no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`namespaces`

The namespaces block limits the namespaces to discover resources in. If you omit this block, the component searches all namespaces.

Name	Type	Description	Default	Required
`names`	`list(string)`	List of namespaces to search.		no
`own_namespace`	`bool`	Include the namespace Alloy is running in.		no

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`selectors`

The selectors block contains optional label and field selectors to limit the discovery process to a subset of resources.

Name	Type	Description	Required
`role`	`string`	Role of the selector.	yes
`field`	`string`	Field selector string.	no
`label`	`string`	Label selector string.	no

Refer to Kubernetes’ documentation for Field selectors and Labels and selectors to learn more about the filters you can use.

The endpoints role supports Pod, service, and endpoints selectors. The Pod role supports node selectors when configured with attach_metadata: {node: true}. Other roles only support selectors matching the role itself. For example, node role can only contain node selectors.

Note
Using multiple discovery.kubernetes components with different selectors may increase load on the Kubernetes API.

Use selectors to retrieve a small set of resources in a very large cluster. For smaller clusters, use a discovery.relabel component to filter targets instead.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

discovery.kubernetes exports the following fields that other components can reference:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Kubernetes API.

Component health

discovery.kubernetes reports as unhealthy when you provide an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.kubernetes doesn’t expose any component-specific debug information.

Debug metrics

discovery.kubernetes doesn’t expose any component-specific debug metrics.

Examples

In-cluster discovery

This example uses in-cluster authentication to discover all Pods:

discovery.kubernetes "k8s_pods" {
  role = "pod"
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

`kubeconfig` file authentication

This example uses a kubeconfig file to authenticate to the Kubernetes API:

discovery.kubernetes "k8s_pods" {
  role = "pod"
  kubeconfig_file = "/etc/k8s/kubeconfig.yaml"
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Limit searched namespaces and filter by label

This example limits the searched namespaces and selects only Pods with a specific label:

discovery.kubernetes "k8s_pods" {
  role = "pod"

  selectors {
    role = "pod"
    label = "app.kubernetes.io/name=prometheus-node-exporter"
  }

  namespaces {
    names = ["myapp"]
  }
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Limit to only Pods on the same node

This example limits the search to Pods on the same node as this Alloy. Use this configuration when running Alloy as a DaemonSet to significantly reduce API server load and memory usage by only watching local Pods instead of all Pods cluster-wide.

Note
This example assumes you used the Helm chart to deploy Alloy in Kubernetes, which sets HOSTNAME to the Kubernetes host name. If you have a custom Kubernetes Deployment, you must adapt this example to your configuration.

As an alternative, you can use discovery.kubelet which queries the local kubelet API directly and only returns Pods running on the same node.

discovery.kubernetes "k8s_pods" {
  role = "pod"
  selectors {
    role = "pod"
    field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname)
  }
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.kubernetes has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.kuma

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.kuma`

discovery.kuma discovers scrape target from the Kuma control plane.

Usage

discovery.kuma "LABEL" {
    server = "SERVER"
}

Arguments

You can use the following arguments with discovery.kuma:

Name	Type	Description	Default	Required
`server`	`string`	Address of the Kuma Control Plane’s MADS xDS server.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`fetch_timeout`	`duration`	Timeout for fetching monitoring assignments.	`"2m"`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	The time to wait between polling update requests.	`"30s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.kuma:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Kuma API.

The following meta labels are available on targets and can be used by the discovery.relabel component:

__meta_kuma_dataplane: The name of the proxy.
__meta_kuma_label_<tagname>: Each tag of the proxy.
__meta_kuma_mesh: The name of the proxy’s Mesh.
__meta_kuma_service: The name of the proxy’s associated Service.

Component health

discovery.kuma is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.kuma doesn’t expose any component-specific debug information.

Debug metrics

discovery.kuma doesn’t expose any component-specific debug metrics.

Example

discovery.kuma "example" {
    server     = "http://kuma-control-plane.kuma-system.svc:5676"
}
prometheus.scrape "demo" {
    targets    = discovery.kuma.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}
prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"
        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.kuma has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.lightsail

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.lightsail`

discovery.lightsail allows retrieving scrape targets from Amazon Lightsail instances. The private IP address is used by default, but may be changed to the public IP address with relabeling.

Usage

discovery.lightsail "<LABEL>" {
}

Arguments

You can use the following arguments with discovery.lightsail:

Name	Type	Description	Default	Required
`access_key`	`string`	The AWS API key ID. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used.		no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`endpoint`	`string`	Custom endpoint to be used.		no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.	`80`	no
`profile`	`string`	Named AWS profile used to connect to the API.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Refresh interval to re-read the instance list.	`"60s"`	no
`region`	`string`	The AWS region. If blank, the region from the instance metadata is used.		no
`role_arn`	`string`	AWS Role ARN, an alternative to using AWS API keys.		no
`secret_key`	`string`	The AWS API key secret. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used.		no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
`bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.lightsail:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of discovered Lightsail targets.

Each target includes the following labels:

__meta_lightsail_availability_zone: The availability zone in which the instance is running.
__meta_lightsail_blueprint_id: The Lightsail blueprint ID.
__meta_lightsail_bundle_id: The Lightsail bundle ID.
__meta_lightsail_instance_name: The name of the Lightsail instance.
__meta_lightsail_instance_state: The state of the Lightsail instance.
__meta_lightsail_instance_support_code: The support code of the Lightsail instance.
__meta_lightsail_ipv6_addresses: Comma-separated list of IPv6 addresses assigned to the instance’s network interfaces, if present.
__meta_lightsail_private_ip: The private IP address of the instance.
__meta_lightsail_public_ip: The public IP address of the instance, if available.
__meta_lightsail_region: The region of the instance.
__meta_lightsail_tag_<tagkey>: Each tag value of the instance.

Component health

discovery.lightsail is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.lightsail doesn’t expose any component-specific debug information.

Debug metrics

discovery.lightsail doesn’t expose any component-specific debug metrics.

Example

discovery.lightsail "lightsail" {
  region = "us-east-1"
}

prometheus.scrape "demo" {
  targets    = discovery.lightsail.lightsail.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.lightsail has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.linode

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.linode`

discovery.linode allows you to retrieve scrape targets from Linode’s Linode APIv4. This service discovery uses the public IPv4 address by default, but that can be changed with relabeling.

Usage

discovery.linode "<LABEL>" {
    bearer_token = "<LINODE_API_TOKEN>"
}

Note
You must create the Linode APIv4 Token with the scopes: linodes:read_only, ips:read_only, and events:read_only.

Arguments

You can use the following arguments with discovery.linode:

Name	Type	Description	Default	Required
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	Port that metrics are scraped from.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	The time to wait between polling update requests.	`"60s"`	no
`region`	`string`	A region to filter on.		no
`tag_separator`	`string`	The string by which Linode Instance tags are joined into the tag label.	`","`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.linode:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Linode API.

The following meta labels are available on targets and can be used by the discovery.relabel component:

__meta_linode_backups: The backup service status of the Linode instance.
__meta_linode_extra_ips: A list of all extra IPv4 addresses assigned to the Linode instance joined by the tag separator.
__meta_linode_group: The display group a Linode instance is a member of.
__meta_linode_gpus: The number of GPUs of the Linode instance.
__meta_linode_hypervisor: The virtualization software powering the Linode instance.
__meta_linode_image: The slug of the Linode instance’s image.
__meta_linode_instance_id: The ID of the Linode instance.
__meta_linode_instance_label: The label of the Linode instance.
__meta_linode_private_ipv4: The private IPv4 of the Linode instance.
__meta_linode_private_ipv4_rdns: The reverse DNS for the first private IPv4 of the Linode instance.
__meta_linode_public_ipv4: The public IPv4 of the Linode instance.
__meta_linode_public_ipv4_rdns: The reverse DNS for the first public IPv4 of the Linode instance.
__meta_linode_public_ipv6: The public IPv6 of the Linode instance.
__meta_linode_public_ipv6_rdns: The reverse DNS for the first public IPv6 of the Linode instance.
__meta_linode_region: The region of the Linode instance.
__meta_linode_specs_disk_bytes: The amount of storage space the Linode instance has access to.
__meta_linode_specs_memory_bytes: The amount of RAM the Linode instance has access to.
__meta_linode_specs_transfer_bytes: The amount of network transfer the Linode instance is allotted each month.
__meta_linode_specs_vcpus: The number of VCPUS this Linode has access to.
__meta_linode_status: The status of the Linode instance.
__meta_linode_tags: A list of tags of the Linode instance joined by the tag separator.
__meta_linode_type: The type of the Linode instance.
__meta_linode_ipv6_ranges: A list of IPv6 ranges with mask assigned to the Linode instance joined by the tag separator.

Component health

discovery.linode is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.linode doesn’t expose any component-specific debug information.

Debug metrics

discovery.linode doesn’t expose any component-specific debug metrics.

Example

discovery.linode "example" {
    bearer_token = sys.env("LINODE_TOKEN")
    port = 8876
}
prometheus.scrape "demo" {
    targets    = discovery.linode.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}
prometheus.remote_write "demo" {
    endpoint {
        url = <PROMETHEUS_REMOTE_WRITE_URL>
        basic_auth {
            username = <USERNAME>
            password = <PASSWORD>
        }
    }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Use a private IP address

discovery.linode "example" {
    bearer_token = sys.env("LINODE_TOKEN")
    port = 8876
}
discovery.relabel "private_ips" {
    targets = discovery.linode.example.targets
    rule {
        source_labels = ["__meta_linode_private_ipv4"]
        replacement     = "[$1]:8876"
        target_label  = "__address__"
    }
}
prometheus.scrape "demo" {
    targets    = discovery.relabel.private_ips.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}
prometheus.remote_write "demo" {
    endpoint {
        url = <PROMETHEUS_REMOTE_WRITE_URL>
        basic_auth {
            username = <USERNAME>
            password = <PASSWORD>
        }
    }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.linode has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.marathon

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.marathon`

discovery.marathon allows you to retrieve scrape targets from Marathon’s Service API.

Usage

discovery.marathon "<LABEL>" {
  servers = ["<MARATHON_SERVER1>", "<MARATHON_SERVER2>"...]
}

Arguments

You can use the following arguments with discovery.marathon:

Name	Type	Description	Default	Required
`servers`	`list(string)`	List of Marathon servers.		yes
`auth_token_file`	`string`	File containing an auth token to authenticate with.		no
`auth_token`	`secret`	Auth token to authenticate with.		no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Interval at which to refresh the list of targets.	`"30s"`	no

At most, one of the following can be provided:

auth_token_file argument
auth_token argument
[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.marathon:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Marathon servers.

Each target includes the following labels:

__meta_marathon_app_label_<labelname>: Any Marathon labels attached to the app.
__meta_marathon_app: The name of the app, with slashes replaced by dashes.
__meta_marathon_image: The name of the Docker image used, if available.
__meta_marathon_port_definition_label_<labelname>: The port definition labels.
__meta_marathon_port_index: The port index number, for example 1 for PORT1.
__meta_marathon_port_mapping_label_<labelname>: The port mapping labels.
__meta_marathon_task: The ID of the Apache Mesos task.

Component health

discovery.marathon is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.marathon doesn’t expose any component-specific debug information.

Debug metrics

discovery.marathon doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from a Marathon server:

discovery.marathon "example" {
  servers = ["localhost:8500"]
}

prometheus.scrape "demo" {
  targets    = discovery.marathon.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.marathon has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.nerve

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.nerve`

discovery.nerve discovers airbnb/nerve targets stored in Zookeeper.

Usage

discovery.nerve "<LABEL>" {
    servers = ["<SERVER_1>", "<SERVER_2>"]
    paths   = ["<PATH_1>", "<PATH_2>"]
}

Arguments

You can use the following arguments with discovery.nerve:

Name	Type	Description	Default	Required
`paths`	`list(string)`	The paths to look for targets at.		yes
`servers`	`list(string)`	The Zookeeper servers.		yes
`timeout`	`duration`	The timeout to use.	`"10s"`	no

Each element in the path list can either point to a single service, or to the root of a tree of services.

Blocks

The discovery.nerve component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from Nerve’s API.

The following meta labels are available on targets and can be used by the discovery.relabel component

__meta_nerve_endpoint_host: The host of the endpoint.
__meta_nerve_endpoint_name: The name of the endpoint.
__meta_nerve_endpoint_port: The port of the endpoint.
__meta_nerve_path: The full path to the endpoint node in Zookeeper.

Component health

discovery.nerve is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.nerve doesn’t expose any component-specific debug information.

Debug metrics

discovery.nerve doesn’t expose any component-specific debug metrics.

Example

discovery.nerve "example" {
    servers = ["localhost"]
    paths   = ["/monitoring"]
    timeout = "1m"
}
prometheus.scrape "demo" {
    targets    = discovery.nerve.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}
prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"
        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.nerve has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.nomad

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.nomad`

discovery.nomad allows you to retrieve scrape targets from Nomad’s Service API.

Usage

discovery.nomad "<LABEL>" {
}

Arguments

You can use the following arguments with discovery.nomad:

Name	Type	Description	Default	Required
`allow_stale`	`bool`	Allow reading from non-leader nomad instances.	`true`	no
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`namespace`	`string`	Nomad namespace to use.	`default`	no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to refresh list of containers.	`"30s"`	no
`region`	`string`	Nomad region to use.	`global`	no
`server`	`string`	Address of nomad server.	`"http://localhost:4646"`	no
`tag_separator`	`string`	Separator to join nomad tags into Prometheus labels.	`","`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.nomad:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the nomad server.

Each target includes the following labels:

__meta_nomad_address: The service address of the target.
__meta_nomad_dc: The data center name for the target.
__meta_nomad_namespace: The namespace of the target.
__meta_nomad_node_id: The node name defined for the target.
__meta_nomad_service_address: The service address of the target.
__meta_nomad_service_id: The service ID of the target.
__meta_nomad_service_port: The service port of the target.
__meta_nomad_service: The name of the service the target belongs to.
__meta_nomad_tags: The list of tags of the target joined by the tag separator.

Component health

discovery.nomad is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.nomad doesn’t expose any component-specific debug information.

Debug metrics

discovery.nomad doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from a Nomad server:

discovery.nomad "example" {
}

prometheus.scrape "demo" {
  targets    = discovery.nomad.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.nomad has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.openstack

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.openstack`

discovery.openstack discovers OpenStack Nova instances and exposes them as targets.

Usage

discovery.openstack "<LABEL>" {
  role   = "<OPENSTACK_ROLE>"
  region = "<OPENSTACK_REGION>"
}

Arguments

You can use the following arguments with discovery.openstack:

Name	Type	Description	Default	Required
`region`	`string`	OpenStack region.		yes
`role`	`string`	Role of the discovered targets.		yes
`all_tenants`	`bool`	Whether the service discovery should list all instances for all projects.	`false`	no
`application_credential_id`	`string`	OpenStack application credential ID for the Identity V2 and V3 APIs.		no
`application_credential_name`	`string`	OpenStack application credential name for the Identity V2 and V3 APIs.		no
`application_credential_secret`	`secret`	OpenStack application credential secret for the Identity V2 and V3 APIs.		no
`availability`	`string`	The availability of the endpoint to connect to.	`public`	no
`domain_id`	`string`	OpenStack domain ID for the Identity V2 and V3 APIs.		no
`domain_name`	`string`	OpenStack domain name for the Identity V2 and V3 APIs.		no
`identity_endpoint`	`string`	Specifies the HTTP endpoint that’s required to work with the Identity API of the appropriate version		no
`password`	`secret`	Password for the Identity V2 and V3 APIs.		no
`port`	`int`	The port to scrape metrics from.	`80`	no
`project_id`	`string`	OpenStack project ID for the Identity V2 and V3 APIs.		no
`project_name`	`string`	OpenStack project name for the Identity V2 and V3 APIs.		no
`refresh_interval`	`duration`	Refresh interval to re-read the instance list.	`"60s"`	no
`userid`	`string`	OpenStack user ID for the Identity V2 and V3 APIs.		no
`username`	`string`	OpenStack username for the Identity V2 and V3 APIs.		no

role must be one of hypervisor or instance.

all_tenants is only relevant for the instance role and usually requires administrator permissions.

application_credential_id or application_credential_name fields are required if using an application credential to authenticate. Some providers allow you to create an application credential to authenticate rather than a password.

application_credential_secret field is required if using an application credential to authenticate.

availability must be one of public, admin, or internal.

project_id and project_name fields are optional for the Identity V2 API. Some providers allow you to specify a project_name instead of the project_id and some require both.

username is required if using Identity V2 API. In Identity V3, either userid or a combination of username and domain_id or domain_name are needed.

Blocks

You can use the following block with discovery.openstack:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`tls_config`

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the OpenStack API.

`hypervisor` role

The hypervisor role discovers one target per Nova hypervisor node. The target address defaults to the host_ip attribute of the hypervisor.

__meta_openstack_hypervisor_host_ip: The hypervisor node’s IP address.
__meta_openstack_hypervisor_hostname: The hypervisor node’s name.
__meta_openstack_hypervisor_id: The hypervisor node’s ID.
__meta_openstack_hypervisor_state: The hypervisor node’s state.
__meta_openstack_hypervisor_status: The hypervisor node’s status.
__meta_openstack_hypervisor_type: The hypervisor node’s type.

`instance` role

The instance role discovers one target per network interface of Nova instance. The target address defaults to the private IP address of the network interface.

__meta_openstack_address_pool: The pool of the private IP.
__meta_openstack_instance_flavor: The flavor of the OpenStack instance, or the flavor ID if the flavor name isn’t available.
__meta_openstack_instance_id: The OpenStack instance ID.
__meta_openstack_instance_image: The ID of the image the OpenStack instance is using.
__meta_openstack_instance_name: The OpenStack instance name.
__meta_openstack_instance_status: The status of the OpenStack instance.
__meta_openstack_private_ip: The private IP of the OpenStack instance.
__meta_openstack_project_id: The project (tenant) owning this instance.
__meta_openstack_public_ip: The public IP of the OpenStack instance.
__meta_openstack_tag_<key>: Each metadata item of the instance, with any unsupported characters converted to an underscore.
__meta_openstack_user_id: The user account owning the tenant.

Component health

discovery.openstack is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.openstack doesn’t expose any component-specific debug information.

Debug metrics

discovery.openstack doesn’t expose any component-specific debug metrics.

Example

discovery.openstack "example" {
  role   = "<OPENSTACK_ROLE>"
  region = "<OPENSTACK_REGION>"
}

prometheus.scrape "demo" {
  targets    = discovery.openstack.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<OPENSTACK_ROLE>: Your OpenStack role.
<OPENSTACK_REGION>: Your OpenStack region.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.openstack has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.ovhcloud

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.ovhcloud`

discovery.ovhcloud discovers scrape targets from the OVHcloud dedicated servers and VPS using their API. Alloy periodically checks the REST endpoint and create a target for every discovered server. The public IPv4 address is used by default. If there’s no IPv4 address, the IPv6 address is used. This may be changed via relabeling with discovery.relabel. For the OVHcloud public cloud instances you can use discovery.openstack.

Usage

discovery.ovhcloud "<LABEL>" {
    application_key    = "<APPLICATION_KEY>"
    application_secret = "<APPLICATION_SECRET>"
    consumer_key       = "<CONSUMER_KEY>"
    service            = "<SERVICE>"
}

Arguments

You can use the following arguments with discovery.ovhcloud:

Name	Type	Description	Default	Required
`application_key`	`string`	API application key.		yes
`application_secret`	`secret`	API application secret.		yes
`consumer_key`	`secret`	API consumer key.		yes
`service`	`string`	Service of the targets to retrieve.		yes
`endpoint`	`string`	API endpoint.	`"ovh-eu"`	no
`refresh_interval`	`duration`	Refresh interval to re-read the resources list.	`"60s"`	no

service must be either vps or dedicated_server.

endpoint must be one of the supported API endpoints.

Blocks

The discovery.ovhcloud component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the OVHcloud API.

Multiple meta labels are available on targets and can be used by the discovery.relabel component.

VPS meta labels:

__meta_ovhcloud_vps_cluster: The cluster of the server.
__meta_ovhcloud_vps_datacenter: The data center of the server.
__meta_ovhcloud_vps_disk: The disk of the server.
__meta_ovhcloud_vps_display_name: The display name of the server.
__meta_ovhcloud_vps_ipv4: The IPv4 of the server.
__meta_ovhcloud_vps_ipv6: The IPv6 of the server.
__meta_ovhcloud_vps_keymap: The KVM keyboard layout of the server.
__meta_ovhcloud_vps_maximum_additional_ip: The maximum additional IP addresses of the server.
__meta_ovhcloud_vps_memory_limit: The memory limit of the server.
__meta_ovhcloud_vps_memory: The memory of the server.
__meta_ovhcloud_vps_monitoring_ip_blocks: The monitoring IP blocks of the server.
__meta_ovhcloud_vps_name: The name of the server.
__meta_ovhcloud_vps_netboot_mode: The netboot mode of the server.
__meta_ovhcloud_vps_offer_type: The offer type of the server.
__meta_ovhcloud_vps_offer: The offer of the server.
__meta_ovhcloud_vps_state: The state of the server.
__meta_ovhcloud_vps_vcore: The number of virtual cores of the server.
__meta_ovhcloud_vps_version: The version of the server.
__meta_ovhcloud_vps_zone: The zone of the server.

Dedicated servers meta labels:

__meta_ovhcloud_dedicated_server_commercial_range: The commercial range of the server.
__meta_ovhcloud_dedicated_server_datacenter: The data center of the server.
__meta_ovhcloud_dedicated_server_ipv4: The IPv4 of the server.
__meta_ovhcloud_dedicated_server_ipv6: The IPv6 of the server.
__meta_ovhcloud_dedicated_server_link_speed: The link speed of the server.
__meta_ovhcloud_dedicated_server_name: The name of the server.
__meta_ovhcloud_dedicated_server_no_intervention: Whether datacenter intervention is disabled for the server.
__meta_ovhcloud_dedicated_server_os: The operating system of the server.
__meta_ovhcloud_dedicated_server_rack: The rack of the server.
__meta_ovhcloud_dedicated_server_reverse: The reverse DNS name of the server.
__meta_ovhcloud_dedicated_server_server_id: The ID of the server.
__meta_ovhcloud_dedicated_server_state: The state of the server.
__meta_ovhcloud_dedicated_server_support_level: The support level of the server.

Component health

discovery.ovhcloud is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.ovhcloud doesn’t expose any component-specific debug information.

Debug metrics

discovery.ovhcloud doesn’t expose any component-specific debug metrics.

Example

discovery.ovhcloud "example" {
    application_key    = "<APPLICATION_KEY>"
    application_secret = "<APPLICATION_SECRET>"
    consumer_key       = "<CONSUMER_KEY>"
    service            = "<SERVICE>"
}

prometheus.scrape "demo" {
    targets    = discovery.ovhcloud.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"
        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<APPLICATION_KEY>: The OVHcloud API application key.
<APPLICATION_SECRET>: The OVHcloud API application secret.
<CONSUMER_KEY>: The OVHcloud API consumer key.
<SERVICE>: The OVHcloud service of the targets to retrieve.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.ovhcloud has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.process

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.process`

discovery.process discovers processes running on the local Linux OS.

Note
To use the discovery.process component you must run Alloy as root and inside host PID namespace.

Usage

discovery.process "<LABEL>" {

}

Arguments

You can use the following arguments with discovery.process:

Name	Type	Description	Default	Required
`join`	`list(map(string))`	Join external targets to discovered processes targets based on `__container_id__` label.		no
`refresh_interval`	`duration`	How often to sync targets.	`"60s"`	no

Targets joining

If you specify join, discovery.process joins the discovered processes based on the __container_id__ label. This component alternatively joins targets by __meta_kubernetes_pod_container_id or __meta_docker_container_id, which allows a simple integration with the output from other discovery components like discovery.kubernetes. The example discovering processes on the local host and joining with discovery.kubernetes demonstrates this.

For example, if join is specified as the following external targets:

[
  {
    "pod": "pod-1",
    "__container_id__": "container-1"
  },
  {
    "pod": "pod-2",
    "__container_id__": "container-2"
  }
]

And the discovered process targets are:

[
  {
    "__process_pid__": "1",
    "__container_id__": "container-1"
  },
  {
    "__process_pid__": "2"
  }
]

The resulting targets are:

[
  {
    "__container_id__": "container-1",
    "__process_pid__": "1",
    "pod": "pod-1"
  },
  {
    "__process_pid__": "2"
  },
  {
    "__container_id__": "container-1",
    "pod": "pod-1"
  },
  {
    "__container_id__": "container-2",
    "pod": "pod-2"
  }
]

The four targets are updated as follows:

The first external target is merged with the first discovered process target, joined by __container_id__=1.
The second discovered process target has no matching external target.
The first original external target has no matching discovered process target.
The second original external target has no matching discovered process target.

Blocks

You can use the following block with discovery.process:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`discover_config`

The discover_config block describes which process metadata to discover.

The following arguments are supported:

Name	Type	Description	Default	Required
`exe`	`bool`	A flag to enable discovering `__meta_process_exe` label.	`true`	no
`cwd`	`bool`	A flag to enable discovering `__meta_process_cwd` label.	`true`	no
`commandline`	`bool`	A flag to enable discovering `__meta_process_commandline` label.	`true`	no
`uid`	`bool`	A flag to enable discovering `__meta_process_uid` label.	`true`	no
`username`	`bool`	A flag to enable discovering `__meta_process_username` label.	`true`	no
`cgroup_path`	`bool`	A flag to enable discovering `__meta_cgroup_path__` label.	`false`	no
`container_id`	`bool`	A flag to enable discovering `__container_id__` label.	`true`	no

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of processes discovered on the local Linux OS.

Each target includes the following labels:

__container_id__: The container ID. Taken from /proc/<pid>/cgroup. If the process isn’t running in a container, this label isn’t set.
__meta_cgroup_path: The cgroup path under which the process is running. In the case of cgroups v1, this label includes all the controllers paths delimited by |.
__meta_process_commandline: The process command line. Taken from /proc/<pid>/cmdline.
__meta_process_cwd: The process current working directory. Taken from /proc/<pid>/cwd.
__meta_process_exe: The process executable path. Taken from /proc/<pid>/exe.
__meta_process_uid: The process UID. Taken from /proc/<pid>/status.
__meta_process_username: The process username. Taken from __meta_process_uid and os/user/LookupID.
__process_pid__: The process PID.

Component health

discovery.process is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.process doesn’t expose any component-specific debug information.

Debug metrics

discovery.process doesn’t expose any component-specific debug metrics.

Examples

Example discovering processes on the local host

discovery.process "all" {
  refresh_interval = "60s"
  discover_config {
    cwd = true
    exe = true
    commandline = true
    username = true
    uid = true
    cgroup_path = true
    container_id = true
  }
}

Example discovering processes on the local host and joining with `discovery.kubernetes`

discovery.kubernetes "pyroscope_kubernetes" {
  selectors {
    field = "spec.nodeName=" + sys.env("HOSTNAME")
    role = "pod"
  }
  role = "pod"
}

discovery.process "all" {
  join = discovery.kubernetes.pyroscope_kubernetes.targets
  refresh_interval = "60s"
  discover_config {
    cwd = true
    exe = true
    commandline = true
    username = true
    uid = true
    container_id = true
  }
}

Example discovering processes on the local host based on `cgroups` path

The following example configuration shows you how to discover processes running under systemd services on the local host.

discovery.process "all" {
  refresh_interval = "60s"
  discover_config {
    cwd = true
    exe = true
    commandline = true
    username = true
    uid = true
    cgroup_path = true
    container_id = true
  }
}

discovery.relabel "systemd_services" {
  targets = discovery.process.all.targets
  // Only keep the targets that correspond to systemd services
  rule {
    action = "keep"
    regex = "^.*/([a-zA-Z0-9-_]+).service(?:.*$)"
    source_labels = ["__meta_cgroup_id"]
  }
}

Compatible components

discovery.process can accept arguments from the following components:

Components that export Targets

discovery.process has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.puppetdb

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.puppetdb`

discovery.puppetdb allows you to retrieve scrape targets from PuppetDB resources.

This SD discovers resources and creates a target for each resource returned by the API.

The resource address is the certname of the resource, and can be changed during relabeling.

The queries for this component are expected to be valid PQL (Puppet Query Language).

Usage

discovery.puppetdb "<LABEL>" {
  url = "<PUPPET_SERVER>"
}

Arguments

You can use the following arguments with discovery.puppetdb:

Name	Type	Description	Default	Required
`query`	`string`	Puppet Query Language (PQL) query. Only resources are supported.		yes
`url`	`string`	The URL of the PuppetDB root query endpoint.		yes
`bearer_token_file`	`string`	File containing a bearer token to authenticate with.		no
`bearer_token`	`secret`	Bearer token to authenticate with.		no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`include_parameters`	`bool`	Whether to include the parameters as meta labels. Due to the differences between parameter types and Prometheus labels, some parameters might not be rendered. The format of the parameters might also change in future releases. Make sure that you don’t have secrets exposed as parameters if you enable this.	`false`	no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`int`	The port to scrape metrics from.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to refresh targets.	`"30s"`	no

At most, one of the following can be provided:

[authorization][authorization] block
[basic_auth][basic_auth] block
bearer_token_file argument
bearer_token argument
[oauth2][oauth2] block

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.puppetdb:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`authorization`

The authorization block configures generic authorization to the endpoint.

Name	Type	Description	Required
`credentials_file`	`string`	File containing the secret value.	no
`credentials`	`secret`	Secret value.	no
`type`	`string`	Authorization type, for example, “Bearer”.	no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

Warning
Using credentials_file causes the file to be read on every outgoing request. Use the local.file component with the credentials attribute instead to avoid unnecessary reads.

`basic_auth`

The basic_auth block configures basic authentication to the endpoint.

Name	Type	Description	Required
`password_file`	`string`	File containing the basic auth password.	no
`password`	`secret`	Basic auth password.	no
`username`	`string`	Basic auth username.	no

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

Warning
Using password_file causes the file to be read on every outgoing request. Use the local.file component with the password attribute instead to avoid unnecessary reads.

`oauth2`

The oauth2 block configures OAuth 2.0 authentication to the endpoint.

Name	Type	Description	Default	Required
`client_id`	`string`	OAuth2 client ID.		no
`client_secret_file`	`string`	File containing the OAuth2 client secret.		no
`client_secret`	`secret`	OAuth2 client secret.		no
`endpoint_params`	`map(string)`	Optional parameters to append to the token URL.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`scopes`	`list(string)`	List of scopes to authenticate with.		no
`token_url`	`string`	URL to fetch the token from.		no

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

Warning
Using client_secret_file causes the file to be read on every outgoing request. Use the local.file component with the client_secret attribute instead to avoid unnecessary reads.

The oauth2 block may also contain a separate tls_config sub-block.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from PuppetDB.

Each target includes the following labels:

__meta_puppetdb_certname: The name of the node associated with the resource.
__meta_puppetdb_environment: The environment of the node associated with the resource.
__meta_puppetdb_exported: Whether the resource is exported, either true or false.
__meta_puppetdb_file: The manifest file in which the resource was declared.
__meta_puppetdb_parameter_<parametername>: The parameters of the resource.
__meta_puppetdb_query: The Puppet Query Language (PQL) query.
__meta_puppetdb_resource: A SHA-1 hash of the resource’s type, title, and parameters, for identification.
__meta_puppetdb_tags: A comma separated list of resource tags.
__meta_puppetdb_title: The resource title.
__meta_puppetdb_type: The resource type.

Component health

discovery.puppetdb is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.puppetdb doesn’t expose any component-specific debug information.

Debug metrics

discovery.puppetdb doesn’t expose any component-specific debug metrics.

Example

This example discovers targets from PuppetDB for all the servers that have a specific package defined:

discovery.puppetdb "example" {
    url   = "http://puppetdb.local:8080"
    query = "resources { type = \"Package\" and title = \"node_exporter\" }"
    port  = 9100
}

prometheus.scrape "demo" {
    targets    = discovery.puppetdb.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"

        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.puppetdb has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.relabel

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.relabel`

In Alloy, targets are defined as sets of key-value pairs called labels.

discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. If no rules are defined, then the input targets are exported as-is.

The most common use of discovery.relabel is to filter targets or standardize the target label set that’s passed to a downstream component. The rule blocks are applied to the label set of each target in order of their appearance in the configuration file. The configured rules can be retrieved by calling the function in the rules export field.

Target labels which start with a double underscore __ are considered internal, and may be removed by other components prior to telemetry collection. To retain any of these labels, use a labelmap action to remove the prefix, or remap them to a different name. Service discovery mechanisms usually group their labels under __meta_*. For example, the discovery.kubernetes component populates a set of __meta_kubernetes_* labels to provide information about the discovered Kubernetes resources. If a relabeling rule needs to store a label value temporarily, for example as the input to a subsequent step, use the __tmp label name prefix, as it’s guaranteed to never be used.

Multiple discovery.relabel components can be specified by giving them different labels.

Usage

discovery.relabel "<LABEL>" {
  targets = "<TARGET_LIST>"

  rule {
    ...
  }

  ...
}

Arguments

You can use the following argument with discovery.relabel:

Name	Type	Description	Default	Required
`targets`	`list(map(string))`	Targets to relabel		yes

Blocks

You can use the following block with discovery.relabel:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`rule`

The rule block configures the relabeling rules to apply to targets.

The rule block contains the definition of any relabeling rules that can be applied to an input metric. If more than one rule block is defined, the transformations are applied in top-down order.

The following arguments can be used to configure a rule. All arguments are optional. Omitted fields take their default values.

Name	Type	Description	Default	Required
`action`	`string`	The relabeling action to perform.	replace	no
`modulus`	`uint`	A positive integer used to calculate the modulus of the hashed source label values.		no
`regex`	`string`	A valid RE2 expression with support for parenthesized capture groups. Used to match the extracted value from the combination of the `source_label` and `separator` fields or filter labels during the `labelkeep/labeldrop/labelmap` actions.	`(.*)`	no
`replacement`	`string`	The value against which a regular expression replace is performed, if the regular expression matches the extracted value. Supports previously captured groups.	`"$1"`	no
`separator`	`string`	The separator used to concatenate the values present in `source_labels`.	;	no
`source_labels`	`list(string)`	The list of labels whose values are to be selected. Their content is concatenated using the `separator` and matched against `regex`.		no
`target_label`	`string`	Label to which the resulting value will be written to.		no

You can use the following actions:

drop - Drops metrics where regex matches the string extracted using the source_labels and separator.
dropequal - Drop targets for which the concatenated source_labels do match target_label.
hashmod - Hashes the concatenated labels, calculates its modulo modulus and writes the result to the target_label.
keep - Keeps metrics where regex matches the string extracted using the source_labels and separator.
keepequal - Drop targets for which the concatenated source_labels don’t match target_label.
labeldrop - Matches regex against all label names. Any labels that match are removed from the metric’s label set.
labelkeep - Matches regex against all label names. Any labels that don’t match are removed from the metric’s label set.
labelmap - Matches regex against all label names. Any labels that match are renamed according to the contents of the replacement field.
lowercase - Sets target_label to the lowercase form of the concatenated source_labels.
replace - Matches regex to the concatenated labels. If there’s a match, it replaces the content of the target_label using the contents of the replacement field.
uppercase - Sets target_label to the uppercase form of the concatenated source_labels.

Note
The regular expression capture groups can be referred to using either the $CAPTURE_GROUP_NUMBER or ${CAPTURE_GROUP_NUMBER} notation.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`output`	`list(map(string))`	The set of targets after applying relabeling.
`rules`	`RelabelRules`	The currently configured relabeling rules.

Component health

discovery.relabel is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.relabel doesn’t expose any component-specific debug information.

Debug metrics

discovery.relabel doesn’t expose any component-specific debug metrics.

Example

The following example shows how the discovery.relabel component applies relabel rules to the incoming targets. In practice, the targets slice will come from another discovery.* component, but they are enumerated here to help clarify the example.

discovery.relabel "keep_backend_only" {
  targets = [
    { "__meta_foo" = "foo", "__address__" = "localhost", "instance" = "one",   "app" = "backend"  },
    { "__meta_bar" = "bar", "__address__" = "localhost", "instance" = "two",   "app" = "database" },
    { "__meta_baz" = "baz", "__address__" = "localhost", "instance" = "three", "app" = "frontend" },
  ]

  # Combine the "__address__" and "instance" labels into a new "destination" label.
  rule {
    source_labels = ["__address__", "instance"]
    separator     = "/"
    target_label  = "destination"
    action        = "replace"
  }

  # Drop any targets that do not have the value "backend" in their "app" label.
  rule {
    source_labels = ["app"]
    action        = "keep"
    regex         = "backend"
  }

  # Add a static label to all remaining targets.
  rule {
    target_label = "custom_static_label"
    replacement = "static_value"
  }
}

Compatible components

discovery.relabel can accept arguments from the following components:

Components that export Targets

discovery.relabel has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.scaleway

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.scaleway`

discovery.scaleway discovers targets from Scaleway instances and bare metal services.

Usage

discovery.scaleway "<LABEL>" {
    project_id = "<SCALEWAY_PROJECT_ID>"
    role       = "<SCALEWAY_PROJECT_ROLE>"
    access_key = "<SCALEWAY_ACCESS_KEY>"
    secret_key = "<SCALEWAY_SECRET_KEY>"
}

Arguments

You can use the following arguments with discovery.scaleway:

Name	Type	Description	Default	Required
`access_key`	`string`	Access key for the Scaleway API.		yes
`project_id`	`string`	Scaleway project ID of targets.		yes
`role`	`string`	Role of targets to retrieve.		yes
`secret_key_file`	`string`	Path to file containing secret key for the Scaleway API.		conditional
`secret_key`	`secret`	Secret key for the Scaleway API.		conditional
`api_url`	`string`	Scaleway API URL.	`"https://api.scaleway.com"`	no
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`name_filter`	`string`	Name filter to apply against the listing request.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`port`	`number`	Default port on servers to associate with generated targets.	`80`	no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Frequency to rediscover targets.	`"60s"`	no
`tags_filter`	`list(string)`	List of tags to search for.		no
`zone`	`string`	Availability zone of targets.	`"fr-par-1"`	no

The role argument determines what type of Scaleway machines to discover. It must be set to one of the following:

"baremetal": Discover bare metal Scaleway machines.
"instance": Discover virtual Scaleway instances.

The name_filter and tags_filter arguments can be used to filter the set of discovered servers. name_filter returns machines matching a specific name, while tags_filter returns machines who contain all the tags listed in the tags_filter argument.

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following blocks with discovery.scaleway:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`tls_config`

The tls_config block configures TLS settings for connecting to the endpoint.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Consul catalog API.

When role is baremetal, discovered targets include the following labels:

__meta_scaleway_baremetal_id: The ID of the server.
__meta_scaleway_baremetal_name: The name of the server.
__meta_scaleway_baremetal_os_name: The operating system name of the server.
__meta_scaleway_baremetal_os_version: The operating system version of the server.
__meta_scaleway_baremetal_project_id: The project ID the server belongs to.
__meta_scaleway_baremetal_public_ipv4: The public IPv4 address of the server.
__meta_scaleway_baremetal_public_ipv6: The public IPv6 address of the server.
__meta_scaleway_baremetal_status: The current status of the server.
__meta_scaleway_baremetal_tags: The list of tags associated with the server concatenated with a ,.
__meta_scaleway_baremetal_type: The commercial type of the server.
__meta_scaleway_baremetal_zone: The availability zone of the server.

When role is instance, discovered targets include the following labels:

__meta_scaleway_instance_boot_type: The boot type of the server.
__meta_scaleway_instance_hostname: The hostname of the server.
__meta_scaleway_instance_id: The ID of the server.
__meta_scaleway_instance_image_arch: The architecture of the image the server is running.
__meta_scaleway_instance_image_id: The ID of the image the server is running.
__meta_scaleway_instance_image_name: The name of the image the server is running.
__meta_scaleway_instance_location_cluster_id: The ID of the cluster for the server’s location.
__meta_scaleway_instance_location_hypervisor_id: The hypervisor ID for the server’s location.
__meta_scaleway_instance_location_node_id: The node ID for the server’s location.
__meta_scaleway_instance_name: The name of the server.
__meta_scaleway_instance_organization_id: The organization ID that the server belongs to.
__meta_scaleway_instance_private_ipv4: The private IPv4 address of the server.
__meta_scaleway_instance_project_id: The project ID the server belongs to.
__meta_scaleway_instance_public_ipv4: The public IPv4 address of the server.
__meta_scaleway_instance_public_ipv6: The public IPv6 address of the server.
__meta_scaleway_instance_region: The region of the server.
__meta_scaleway_instance_security_group_id: The ID of the security group the server is assigned to.
__meta_scaleway_instance_security_group_name: The name of the security group the server is assigned to.
__meta_scaleway_instance_status: The current status of the server.
__meta_scaleway_instance_tags: The list of tags associated with the server concatenated with a ,.
__meta_scaleway_instance_type: The commercial type of the server.
__meta_scaleway_instance_zone: The availability zone of the server.

Component health

discovery.scaleway is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.scaleway doesn’t expose any component-specific debug information.

Debug metrics

discovery.scaleway doesn’t expose any component-specific debug metrics.

Example

discovery.scaleway "example" {
    project_id = "<SCALEWAY_PROJECT_ID>"
    role       = "<SCALEWAY_PROJECT_ROLE>"
    access_key = "<SCALEWAY_ACCESS_KEY>"
    secret_key = "<SCALEWAY_SECRET_KEY>"
}

prometheus.scrape "demo" {
    targets    = discovery.scaleway.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"

        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<SCALEWAY_PROJECT_ID>: The project ID of your Scaleway machines.
<SCALEWAY_PROJECT_ROLE>: Set to baremetal to discover bare metal machines or instance to discover virtual instances.
<SCALEWAY_ACCESS_KEY>: Your Scaleway API access key.
<SCALEWAY_SECRET_KEY>: Your Scaleway API secret key.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.scaleway has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.serverset

Mon, 30 Mar 2026 15:47:22 +0000

`discovery.serverset`

discovery.serverset discovers Serversets stored in Zookeeper and exposes them as targets. Serversets are commonly used by Finagle and Aurora.

Usage

discovery.serverset "<LABEL>" {
    servers = "<SERVERS_LIST>"
    paths   = "<ZOOKEEPER_PATHS_LIST>"
}

Serverset data stored in Zookeeper must be in JSON format. The Thrift format isn’t supported.

Arguments

You can use the following arguments with discovery.serverset:

Name	Type	Description	Default	Required
`paths`	`list(string)`	The Zookeeper paths to discover Serversets from.		yes
`servers`	`list(string)`	The Zookeeper servers to connect to.		yes
`timeout`	`duration`	The Zookeeper session timeout	`"10s"`	no

Blocks

The discovery.serverset component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered.

The following metadata labels are available on targets during relabeling:

__meta_serverset_endpoint_host_<endpoint>: The host of the given endpoint.
__meta_serverset_endpoint_host: The host of the default endpoint.
__meta_serverset_endpoint_port_<endpoint>: The port of the given endpoint.
__meta_serverset_endpoint_port: The port of the default endpoint.
__meta_serverset_path: The full path to the serverset member node in Zookeeper.
__meta_serverset_shard: The shard number of the member.
__meta_serverset_status: The status of the member.

Component health

discovery.serverset is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.serverset doesn’t expose any component-specific debug information.

Debug metrics

discovery.serverset doesn’t expose any component-specific debug metrics.

Example

The configuration below connects to one of the Zookeeper servers, either zk1, zk2, or zk3, and discovers JSON Serversets at paths /path/to/znode1 and /path/to/znode2. The discovered targets are scraped by the prometheus.scrape.default component and forwarded to the prometheus.remote_write.default component, which sends the samples to specified remote_write URL.

discovery.serverset "zookeeper" {
    servers = ["zk1", "zk2", "zk3"]
    paths   = ["/path/to/znode1", "/path/to/znode2"]
    timeout = "30s"
}

prometheus.scrape "default" {
    targets    = discovery.serverset.zookeeper.targets
    forward_to = [prometheus.remote_write.default.receiver]
}

prometheus.remote_write "default" {
    endpoint {
        url = "http://remote-write-url1"
    }
}

Compatible components

discovery.serverset has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.triton

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.triton`

discovery.triton discovers Triton Container Monitors and exposes them as targets.

Usage

discovery.triton "<LABEL>" {
    account    = "<ACCOUNT>"
    dns_suffix = "<DNS_SUFFIX>"
    endpoint   = "<ENDPOINT>"
}

Arguments

You can use the following arguments with discovery.triton:

Name	Type	Description	Default	Required
`account`	`string`	The account to use for discovering new targets.		yes
`dns_suffix`	`string`	The DNS suffix that’s applied to the target.		yes
`endpoint`	`string`	The Triton discovery endpoint.		yes
`groups`	`list(string)`	A list of groups to retrieve targets from.		no
`port`	`int`	The port to use for discovery and metrics scraping.	`9163`	no
`refresh_interval`	`duration`	The refresh interval for the list of targets.	`"60s"`	no
`role`	`string`	The type of targets to discover.	`"container"`	no
`version`	`int`	The Triton discovery API version.	`1`	no

groups is only supported when role is set to "container". If you omit groups, all containers owned by the requesting account are scraped.

role can be set to:

"container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton.
"cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure.

Blocks

You can use the following block with discovery.triton:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`tls_config`

The tls_config block configures TLS settings for requests to the Triton API.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Triton API.

When role is set to "container", each target includes the following labels:

__meta_triton_groups: The list of groups belonging to the target joined by a comma separator.
__meta_triton_machine_alias: The alias of the target container.
__meta_triton_machine_brand: The brand of the target container.
__meta_triton_machine_id: The UUID of the target container.
__meta_triton_machine_image: The target container’s image type.
__meta_triton_server_id: The server UUID the target container is running on.

When role is set to "cn" each target includes the following labels:

__meta_triton_machine_alias: The hostname of the target. Requires triton-cmon 1.7.0 or newer.
__meta_triton_machine_id: The UUID of the target.

Component health

discovery.triton is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.triton doesn’t expose any component-specific debug information.

Debug metrics

discovery.triton doesn’t expose any component-specific debug metrics.

Example

discovery.triton "example" {
    account    = "<TRITON_ACCOUNT>"
    dns_suffix = "<TRITON_DNS_SUFFIX>"
    endpoint   = "<TRITON_ENDPOINT>"
}

prometheus.scrape "demo" {
    targets    = discovery.triton.example.targets
    forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
    endpoint {
        url = "<PROMETHEUS_REMOTE_WRITE_URL>"

        basic_auth {
            username = "<USERNAME>"
            password = "<PASSWORD>"
        }
    }
}

Replace the following:

<TRITON_ACCOUNT>: Your Triton account.
<TRITON_DNS_SUFFIX>: Your Triton DNS suffix.
<TRITON_ENDPOINT>: Your Triton endpoint.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.triton has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.

discovery.uyuni

Mon, 13 Apr 2026 07:37:47 +0000

`discovery.uyuni`

discovery.uyuni discovers Uyuni Monitoring Endpoints and exposes them as targets.

Usage

discovery.uyuni "<LABEL>" {
    server   = "<SERVER>"
    username = "<USERNAME>"
    password = "<PASSWORD>"
}

Arguments

You can use the following arguments with discovery.uyuni:

Name	Type	Description	Default	Required
`password`	`secret`	The password to use for authentication to the Uyuni API.		yes
`server`	`string`	The primary Uyuni Server.		yes
`username`	`string`	The username to use for authentication to the Uyuni API.		yes
`enable_http2`	`bool`	Whether HTTP2 is supported for requests.	`true`	no
`entitlement`	`string`	The entitlement to filter on when listing targets.	`"monitoring_entitled"`	no
`follow_redirects`	`bool`	Whether redirects returned by the server should be followed.	`true`	no
`http_headers`	`map(list(secret))`	Custom HTTP headers to be sent along with each request. The map key is the header name.		no
`no_proxy`	`string`	Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.		no
`proxy_connect_header`	`map(list(secret))`	Specifies headers to send to proxies during CONNECT requests.		no
`proxy_from_environment`	`bool`	Use the proxy URL indicated by environment variables.	`false`	no
`proxy_url`	`string`	HTTP proxy to send requests through.		no
`refresh_interval`	`duration`	Interval at which to refresh the list of targets.	`"1m"`	no
`separator`	`string`	The separator to use when building the `__meta_uyuni_groups` label.	`","`	no

no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. proxy_url must be configured if no_proxy is configured.

proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.

Blocks

You can use the following block with discovery.uyuni:

Block	Description	Required
`managed_identity`	Managed Identity configuration for Azure API.	no
`oauth`	OAuth 2.0 configuration for Azure API.	no
`tls_config`	TLS configuration for requests to the Azure API.	no

`tls_config`

The tls_config block configures TLS settings for requests to the Uyuni API.

Name	Type	Description	Required
`ca_pem`	`string`	CA PEM-encoded text to validate the server with.	no
`ca_file`	`string`	CA certificate to validate the server with.	no
`cert_pem`	`string`	Certificate PEM-encoded text for client authentication.	no
`cert_file`	`string`	Certificate file for client authentication.	no
`insecure_skip_verify`	`bool`	Disables validation of the server certificate.	no
`key_file`	`string`	Key file for client authentication.	no
`key_pem`	`secret`	Key PEM-encoded text for client authentication.	no
`min_version`	`string`	Minimum acceptable TLS version.	no
`server_name`	`string`	ServerName extension to indicate the name of the server.	no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

ca_pem and ca_file
cert_pem and cert_file
key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

"TLS10" (TLS 1.0)
"TLS11" (TLS 1.1)
"TLS12" (TLS 1.2)
"TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`targets`	`list(map(string))`	The set of targets discovered from the Uyuni API.

Each target includes the following labels:

__meta_uyuni_endpoint_name: The name of the endpoint.
__meta_uyuni_exporter: The name of the exporter.
__meta_uyuni_groups: The groups the Uyuni Minion belongs to.
__meta_uyuni_metrics_path: The path to the metrics endpoint.
__meta_uyuni_minion_hostname: The hostname of the Uyuni Minion.
__meta_uyuni_primary_fqdn: The FQDN of the Uyuni primary.
__meta_uyuni_proxy_module: The name of the Uyuni module.
__meta_uyuni_scheme: https if TLS is enabled on the endpoint, http otherwise.
__meta_uyuni_system_id: The system ID of the Uyuni Minion.

These labels are largely derived from a listEndpoints API call to the Uyuni Server.

Component health

discovery.uyuni is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

Debug information

discovery.uyuni doesn’t expose any component-specific debug information.

Debug metrics

discovery.uyuni doesn’t expose any component-specific debug metrics.

Example

discovery.uyuni "example" {
  server    = "https://127.0.0.1/rpc/api"
  username  = "<UYUNI_USERNAME>"
  password  = "<UYUNI_PASSWORD>"
}

prometheus.scrape "demo" {
  targets    = discovery.uyuni.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}

Replace the following:

<UYUNI_USERNAME>: The username to use for authentication to the Uyuni server.
<UYUNI_PASSWORD>: The password to use for authentication to the Uyuni server.
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.
<USERNAME>: The username to use for authentication to the remote_write API.
<PASSWORD>: The password to use for authentication to the remote_write API.

Compatible components

discovery.uyuni has exports that can be consumed by the following components:

Components that consume Targets

Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.