feat(seer-infra-telemetry): Implement monitoring provider connection API endpoints (#117478)

shashjar · getsantry[bot] · web-flow · commit b6650ee5a06f · 2026-06-16T12:59:20.000-07:00
Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
diff --git a/src/sentry/api/endpoints/organization_monitoring_provider_details.py b/src/sentry/api/endpoints/organization_monitoring_provider_details.py
@@ -0,0 +1,96 @@
+from __future__ import annotations
+
+import logging
+
+from django.http import HttpResponseRedirect
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from sentry import features
+from sentry.api.api_owners import ApiOwner
+from sentry.api.api_publish_status import ApiPublishStatus
+from sentry.api.base import control_silo_endpoint
+from sentry.api.bases.organization import ControlSiloOrganizationEndpoint
+from sentry.api.endpoints.organization_monitoring_provider_index import (
+    MONITORING_PROVIDERS,
+    MonitoringProviderPermission,
+)
+from sentry.identity import default_manager as identity_manager
+from sentry.identity.pipeline import IdentityPipeline
+from sentry.organizations.services.organization.model import RpcOrganization
+from sentry.users.models.identity import Identity, IdentityProvider
+
+logger = logging.getLogger(__name__)
+
+
+@control_silo_endpoint
+class OrganizationMonitoringProviderDetailsEndpoint(ControlSiloOrganizationEndpoint):
+    owner = ApiOwner.CODING_WORKFLOWS
+    publish_status = {
+        "POST": ApiPublishStatus.PRIVATE,
+        "DELETE": ApiPublishStatus.PRIVATE,
+    }
+    permission_classes = (MonitoringProviderPermission,)
+
+    def post(
+        self, request: Request, organization: RpcOrganization, provider_key: str, **kwargs: object
+    ) -> Response:
+        if not features.has("organizations:seer-infra-telemetry", organization, actor=request.user):
+            return Response(status=404)
+
+        if provider_key not in MONITORING_PROVIDERS:
+            return Response({"detail": "Unknown monitoring provider."}, status=400)
+
+        provider_type = identity_manager.get(provider_key)
+        try:
+            config = provider_type.get_pipeline_config(request.data)
+        except ValueError as e:
+            return Response({"detail": str(e)}, status=400)
+
+        idp: IdentityProvider | None = None
+        if not provider_type.auto_create_provider_model:
+            idp, _ = IdentityProvider.objects.get_or_create(type=provider_key, external_id="")
+
+        pipeline = IdentityPipeline(
+            request=request._request,
+            provider_key=provider_key,
+            organization=organization,
+            provider_model=idp,
+            config=config,
+        )
+        pipeline.initialize()
+
+        response = pipeline.current_step()
+
+        if isinstance(response, HttpResponseRedirect):
+            return Response({"redirectUrl": response.url})
+
+        logger.error(
+            "monitoring_provider.connect.unexpected_response",
+            extra={"provider": provider_key, "response_type": type(response).__name__},
+        )
+        return Response({"detail": "Failed to start OAuth flow."}, status=500)
+
+    def delete(
+        self, request: Request, organization: RpcOrganization, provider_key: str, **kwargs: object
+    ) -> Response:
+        if not features.has("organizations:seer-infra-telemetry", organization, actor=request.user):
+            return Response(status=404)
+
+        if provider_key not in MONITORING_PROVIDERS:
+            return Response({"detail": "Unknown monitoring provider."}, status=400)
+
+        identities = list(
+            Identity.objects.filter(
+                idp__type=provider_key,
+                user_id=request.user.id,  # type: ignore[misc]
+            )
+        )
+
+        if not identities:
+            return Response({"detail": "Not connected to this provider."}, status=404)
+
+        for identity in identities:
+            identity.delete()
+
+        return Response(status=204)
diff --git a/src/sentry/api/endpoints/organization_monitoring_provider_index.py b/src/sentry/api/endpoints/organization_monitoring_provider_index.py
@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from sentry import features
+from sentry.api.api_owners import ApiOwner
+from sentry.api.api_publish_status import ApiPublishStatus
+from sentry.api.base import control_silo_endpoint
+from sentry.api.bases.organization import (
+    ControlSiloOrganizationEndpoint,
+    OrganizationPermission,
+)
+from sentry.organizations.services.organization.model import RpcOrganization
+from sentry.users.models.identity import Identity
+
+MONITORING_PROVIDERS: dict[str, dict[str, str]] = {
+    "datadog": {"name": "Datadog"},
+    "gcp": {"name": "Google Cloud Platform"},
+}
+
+
+class MonitoringProviderPermission(OrganizationPermission):
+    scope_map = {
+        "GET": ["org:read", "org:write", "org:admin"],
+        "POST": ["org:read", "org:write", "org:admin"],
+        "DELETE": ["org:read", "org:write", "org:admin"],
+    }
+
+
+@control_silo_endpoint
+class OrganizationMonitoringProviderIndexEndpoint(ControlSiloOrganizationEndpoint):
+    owner = ApiOwner.CODING_WORKFLOWS
+    publish_status = {
+        "GET": ApiPublishStatus.PRIVATE,
+    }
+    permission_classes = (MonitoringProviderPermission,)
+
+    def get(self, request: Request, organization: RpcOrganization, **kwargs: object) -> Response:
+        if not features.has("organizations:seer-infra-telemetry", organization, actor=request.user):
+            return Response(status=404)
+
+        connected_identities = {
+            identity.idp.type: identity
+            for identity in Identity.objects.filter(
+                idp__type__in=MONITORING_PROVIDERS.keys(),
+                user_id=request.user.id,  # type: ignore[misc]
+            ).select_related("idp")
+        }
+
+        providers = []
+        for key, meta in MONITORING_PROVIDERS.items():
+            identity = connected_identities.get(key)
+            providers.append(
+                {
+                    "provider": key,
+                    "name": meta["name"],
+                    "connected": identity is not None,
+                }
+            )
+
+        return Response({"providers": providers})
diff --git a/src/sentry/api/urls.py b/src/sentry/api/urls.py
@@ -19,6 +19,12 @@
 from sentry.api.endpoints.organization_insights_tree import OrganizationInsightsTreeEndpoint
 from sentry.api.endpoints.organization_intercom_jwt import OrganizationIntercomJwtEndpoint
 from sentry.api.endpoints.organization_missing_org_members import OrganizationMissingMembersEndpoint
+from sentry.api.endpoints.organization_monitoring_provider_details import (
+    OrganizationMonitoringProviderDetailsEndpoint,
+)
+from sentry.api.endpoints.organization_monitoring_provider_index import (
+    OrganizationMonitoringProviderIndexEndpoint,
+)
 from sentry.api.endpoints.organization_pipeline import OrganizationPipelineEndpoint
 from sentry.api.endpoints.organization_plugin_deprecation_info import (
     OrganizationPluginDeprecationInfoEndpoint,
@@ -1907,6 +1913,16 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         OrganizationIssueTimeSeriesEndpoint.as_view(),
         name="sentry-api-0-organization-issue-timeseries",
     ),
+    re_path(
+        r"^(?P<organization_id_or_slug>[^/]+)/monitoring-providers/$",
+        OrganizationMonitoringProviderIndexEndpoint.as_view(),
+        name="sentry-api-0-organization-monitoring-providers",
+    ),
+    re_path(
+        r"^(?P<organization_id_or_slug>[^/]+)/monitoring-providers/(?P<provider_key>[^/]+)/$",
+        OrganizationMonitoringProviderDetailsEndpoint.as_view(),
+        name="sentry-api-0-organization-monitoring-provider-details",
+    ),
     re_path(
         r"^(?P<organization_id_or_slug>[^/]+)/integrations/$",
         OrganizationIntegrationsEndpoint.as_view(),
diff --git a/src/sentry/identity/base.py b/src/sentry/identity/base.py
@@ -24,6 +24,14 @@ def __init__(self, **config):
         self.config = config
         self.logger = logging.getLogger(f"sentry.identity.{self.key}")
 
+    def get_pipeline_config(self, data: dict[str, Any]) -> dict[str, str]:
+        """
+        Extract and validate provider-specific configuration from request data.
+
+        Raises ValueError if required configuration is missing or invalid.
+        """
+        return {}
+
     def build_identity(self, state):
         """
         Return a mapping containing the identity information.
diff --git a/src/sentry/identity/datadog/provider.py b/src/sentry/identity/datadog/provider.py
@@ -260,6 +260,12 @@ class DatadogIdentityProvider(OAuth2Provider):
         "monitors_read",
     )
 
+    def get_pipeline_config(self, data: dict[str, Any]) -> dict[str, str]:
+        site = data.get("site")
+        if not site:
+            raise ValueError("Datadog requires a 'site' parameter (e.g. 'datadoghq.com').")
+        return {"site": site}
+
     def _get_mcp_base_url(self) -> str:
         return f"https://mcp.{self._get_oauth_parameter('site')}"
 
diff --git a/src/sentry/identity/manager.py b/src/sentry/identity/manager.py
@@ -1,7 +1,7 @@
 __all__ = ["IdentityManager"]
 
-
 from sentry.exceptions import NotRegistered
+from sentry.identity.base import Provider
 
 
 class IdentityManager:
@@ -15,10 +15,11 @@ def __iter__(self):
     def all(self):
         for key in self.__values.keys():
             provider = self.get(key)
-            if provider.is_configured():
+            is_configured = getattr(provider, "is_configured", None)
+            if is_configured is None or is_configured():
                 yield provider
 
-    def get(self, key, **kwargs):
+    def get(self, key: str, **kwargs) -> Provider:
         try:
             cls = self.__values[key]
         except KeyError:
diff --git a/static/app/utils/api/knownSentryApiUrls.generated.ts b/static/app/utils/api/knownSentryApiUrls.generated.ts
@@ -272,6 +272,8 @@ export type KnownSentryApiUrls =
   | '/organizations/$organizationIdOrSlug/metrics-estimation-stats/'
   | '/organizations/$organizationIdOrSlug/metrics/data/'
   | '/organizations/$organizationIdOrSlug/missing-members/'
+  | '/organizations/$organizationIdOrSlug/monitoring-providers/'
+  | '/organizations/$organizationIdOrSlug/monitoring-providers/$providerKey/'
   | '/organizations/$organizationIdOrSlug/monitors-count/'
   | '/organizations/$organizationIdOrSlug/monitors-schedule-buckets/'
   | '/organizations/$organizationIdOrSlug/monitors-schedule-data/'
diff --git a/tests/sentry/api/endpoints/test_organization_monitoring_provider_details.py b/tests/sentry/api/endpoints/test_organization_monitoring_provider_details.py
diff --git a/tests/sentry/api/endpoints/test_organization_monitoring_provider_index.py b/tests/sentry/api/endpoints/test_organization_monitoring_provider_index.py
