add monitoring and logs agent

mukulpalit-ibm · mukulpalit-ibm · commit 6e4dbb10bc48 · 2025-12-08T20:37:32.000+05:30
diff --git a/examples/monolith/README.md b/examples/monolith/README.md
@@ -6,18 +6,21 @@ The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
 - A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker boot volume encryption.
 - A VPC with subnets across 3 zones.
-- A public gateway for all the three zones
+- A public gateway for all the three zones.
 - A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone.
 - An additional worker pool named workerpool is created and attached to the cluster using the worker-pool submodule.
 - Auto scaling enabled for the default worker pool.
 - Taints against the workers in zone-2 and zone-3.
 - Enable Kubernetes API server audit logs.
-- A Cloud logs instance
-- A Cloud monitoring instance
-- An activity tracker event routing instance
-- A secrets manager instance
+- A Cloud logs instance.
+- A Cloud monitoring instance.
+- An activity tracker event routing instance.
+- A secrets manager instance.
 - A COS instance along with 3 buckets for VPC flow logs, metrics/data bucket and activity tracker bucket.
-- A SCC-WP instance
-- A VPC instance
-- An event notifications instance
-- An app configuration service with aggregator enabled
+- A SCC-WP instance.
+- A VPC instance.
+- An event notifications instance.
+- An app configuration service with aggregator enabled.
+- Monitoring agent.
+- A Trusted Profile with Sender role to logs service.
+- Logs agent.
diff --git a/examples/monolith/main.tf b/examples/monolith/main.tf
@@ -216,3 +216,87 @@ module "kube_audit" {
   audit_webhook_listener_image            = var.audit_webhook_listener_image
   audit_webhook_listener_image_tag_digest = var.audit_webhook_listener_image_tag_digest
 }
+
+##############################################################################
+# Monitoring Agents
+##############################################################################
+
+module "monitoring_agent" {
+  source                    = "terraform-ibm-modules/monitoring-agent/ibm"
+  version                   = "1.19.0"
+  cluster_id                = module.ocp_base.cluster_id
+  cluster_resource_group_id = module.resource_group.resource_group_id
+  is_vpc_cluster            = true
+  access_key                = module.monolith_add_ons.cloud_monitoring_access_key
+  instance_region           = var.region
+  metrics_filter            = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+  container_filter          = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  blacklisted_ports         = [22, 2379, 3306]
+  agent_tags                = { "environment" : "test", "custom" : "value" }
+  agent_mode                = "troubleshooting"
+}
+
+##############################################################################
+# Logs Agent
+##############################################################################
+
+locals {
+  logs_agent_namespace = "ibm-observe"
+  logs_agent_name      = "logs-agent"
+}
+
+module "trusted_profile" {
+  source                      = "terraform-ibm-modules/trusted-profile/ibm"
+  version                     = "3.2.0"
+  trusted_profile_name        = "${var.prefix}-profile"
+  trusted_profile_description = "Logs agent Trusted Profile"
+  # As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agent and routers sending logs.
+  trusted_profile_policies = [{
+    roles             = ["Sender"]
+    unique_identifier = "logs-agent"
+    resources = [{
+      service = "logs"
+    }]
+  }]
+  # Set up fine-grained authorization for `logs-agent` running in ROKS cluster in `ibm-observe` namespace.
+  trusted_profile_links = [{
+    cr_type           = "ROKS_SA"
+    unique_identifier = "logs-agent-link"
+    links = [{
+      crn       = module.ocp_base.cluster_crn
+      namespace = local.logs_agent_namespace
+      name      = local.logs_agent_name
+    }]
+    }
+  ]
+}
+
+module "logs_agent" {
+  source                    = "terraform-ibm-modules/logs-agent/ibm"
+  version                   = "1.10.0"
+  cluster_id                = module.ocp_base.cluster_id
+  cluster_resource_group_id = module.resource_group.resource_group_id
+  # Logs agent
+  logs_agent_trusted_profile_id = module.trusted_profile.trusted_profile.id
+  logs_agent_namespace          = local.logs_agent_namespace
+  logs_agent_name               = local.logs_agent_name
+  cloud_logs_ingress_endpoint   = module.monolith_add_ons.cloud_logs_ingress_private_endpoint
+  cloud_logs_ingress_port       = 3443
+  # example of how to add additional metadata to the logs agent
+  logs_agent_additional_metadata = [{
+    key   = "cluster_id"
+    value = module.ocp_base.cluster_id
+  }]
+  logs_agent_resources = {
+    limits = {
+      cpu    = "500m"
+      memory = "3Gi"
+    }
+    requests = {
+      cpu    = "100m"
+      memory = "1Gi"
+    }
+  }
+  # example of how to add additional log source path
+  logs_agent_system_logs = ["/logs/*.log"]
+}
diff --git a/modules/monolith/README.md b/modules/monolith/README.md
@@ -13,6 +13,8 @@ The primary goal of this module is to provision an OpenShift cluster on VPC and
 * `Activity Tracker and Event Routing`: Configure event routing for platform audit logs to a COS bucket or IBM Cloud Logs.
 * `Security & Compliance`: Optional integration with IBM Cloud Security and Compliance Center (SCC) Workload Protection.
 * `VPE Gateways`: Optional configuration of Virtual Private Endpoint (VPE) gateways for secure private connectivity to cloud services.
+* `Event Notifications`: Optional provision and configuration of IBM Cloud Event Notifications for centralized event routing and management, with support for KMS encryption and failed event collection in COS.
+* `App Configuration`: Optional provision and configuration of IBM Cloud App Configuration for centralized feature flag and property management, securely integrated with KMS and Event Notifications.
 
 ## Usage
 
@@ -203,7 +205,7 @@ module "monolith_ocp_add_ons" {
 | <a name="input_metrics_router_routes"></a> [metrics\_router\_routes](#input\_metrics\_router\_routes) | Routes for IBM Cloud Metrics Routing. | <pre>list(object({<br/>    name = string<br/>    rules = list(object({<br/>      action = string<br/>      targets = list(object({<br/>        id = string<br/>      }))<br/>      inclusion_filters = list(object({<br/>        operand  = string<br/>        operator = string<br/>        values   = list(string)<br/>      }))<br/>    }))<br/>  }))</pre> | `[]` | no |
 | <a name="input_metrics_routing_route_name"></a> [metrics\_routing\_route\_name](#input\_metrics\_routing\_route\_name) | The name of the IBM Cloud Metrics Routing route for the default route that indicate what metrics are routed in a region and where to store them. If the prefix variable is passed, the name of the target is prefixed to the value in the `<prefix>-value` format. | `string` | `"metrics-routing-route"` | no |
 | <a name="input_metrics_routing_target_name"></a> [metrics\_routing\_target\_name](#input\_metrics\_routing\_target\_name) | The name of the IBM Cloud Metrics Routing target where metrics are collected. If the prefix variable is passed, the name of the target is prefixed to the value in the `<prefix>-value` format. | `string` | `"cloud-monitoring-target"` | no |
-| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | <pre>list(<br/>    object({<br/>      name                         = string<br/>      add_ibm_cloud_internal_rules = optional(bool)<br/>      add_vpc_connectivity_rules   = optional(bool)<br/>      prepend_ibm_rules            = optional(bool)<br/>      rules = list(<br/>        object({<br/>          name        = string<br/>          action      = string<br/>          destination = string<br/>          direction   = string<br/>          source      = string<br/>          tcp = optional(<br/>            object({<br/>              port_max        = optional(number)<br/>              port_min        = optional(number)<br/>              source_port_max = optional(number)<br/>              source_port_min = optional(number)<br/>            })<br/>          )<br/>          udp = optional(<br/>            object({<br/>              port_max        = optional(number)<br/>              port_min        = optional(number)<br/>              source_port_max = optional(number)<br/>              source_port_min = optional(number)<br/>            })<br/>          )<br/>          icmp = optional(<br/>            object({<br/>              type = optional(number)<br/>              code = optional(number)<br/>            })<br/>          )<br/>        })<br/>      )<br/>    })<br/>  )</pre> | <pre>[<br/>  {<br/>    "add_ibm_cloud_internal_rules": true,<br/>    "add_vpc_connectivity_rules": true,<br/>    "name": "vpc-acl",<br/>    "prepend_ibm_rules": true,<br/>    "rules": [<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-all-443-inbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 443,<br/>          "port_min": 443,<br/>          "source_port_max": 443,<br/>          "source_port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-all-80-inbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 80,<br/>          "port_min": 80,<br/>          "source_port_max": 80,<br/>          "source_port_min": 80<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-all-22-inbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 22,<br/>          "port_min": 22,<br/>          "source_port_max": 22,<br/>          "source_port_min": 22<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-all-443-outbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 443,<br/>          "port_min": 443,<br/>          "source_port_max": 443,<br/>          "source_port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-all-80-outbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 80,<br/>          "port_min": 80,<br/>          "source_port_max": 80,<br/>          "source_port_min": 80<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-all-22-outbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 22,<br/>          "port_min": 22,<br/>          "source_port_max": 22,<br/>          "source_port_min": 22<br/>        }<br/>      }<br/>    ]<br/>  }<br/>]</pre> | no |
+| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | <pre>list(<br/>    object({<br/>      name                         = string<br/>      add_ibm_cloud_internal_rules = optional(bool)<br/>      add_vpc_connectivity_rules   = optional(bool)<br/>      prepend_ibm_rules            = optional(bool)<br/>      rules = list(<br/>        object({<br/>          name        = string<br/>          action      = string<br/>          destination = string<br/>          direction   = string<br/>          source      = string<br/>          tcp = optional(<br/>            object({<br/>              port_max        = optional(number)<br/>              port_min        = optional(number)<br/>              source_port_max = optional(number)<br/>              source_port_min = optional(number)<br/>            })<br/>          )<br/>          udp = optional(<br/>            object({<br/>              port_max        = optional(number)<br/>              port_min        = optional(number)<br/>              source_port_max = optional(number)<br/>              source_port_min = optional(number)<br/>            })<br/>          )<br/>          icmp = optional(<br/>            object({<br/>              type = optional(number)<br/>              code = optional(number)<br/>            })<br/>          )<br/>        })<br/>      )<br/>    })<br/>  )</pre> | <pre>[<br/>  {<br/>    "add_ibm_cloud_internal_rules": true,<br/>    "add_vpc_connectivity_rules": true,<br/>    "name": "vpc-acl",<br/>    "prepend_ibm_rules": true,<br/>    "rules": [<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-443-inbound-source",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "source_port_max": 443,<br/>          "source_port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-443-inbound-dest",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 443,<br/>          "port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-all-80-inbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "source_port_max": 80,<br/>          "source_port_min": 80<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "inbound",<br/>        "name": "allow-all-ingress-inbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "source_port_max": 32767,<br/>          "source_port_min": 30000<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-443-outbound-source",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "source_port_max": 443,<br/>          "source_port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-443-outbound-dest",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 443,<br/>          "port_min": 443<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-all-80-outbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 80,<br/>          "port_min": 80<br/>        }<br/>      },<br/>      {<br/>        "action": "allow",<br/>        "destination": "0.0.0.0/0",<br/>        "direction": "outbound",<br/>        "name": "allow-all-ingress-outbound",<br/>        "source": "0.0.0.0/0",<br/>        "tcp": {<br/>          "port_max": 32767,<br/>          "port_min": 30000<br/>        }<br/>      }<br/>    ]<br/>  }<br/>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision all resources in. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
diff --git a/modules/monolith/variables.tf b/modules/monolith/variables.tf
@@ -1704,53 +1704,67 @@ variable "network_acls" {
       prepend_ibm_rules            = true
       rules = [
         {
-          name      = "allow-all-443-inbound"
+          name      = "allow-443-inbound-source"
           action    = "allow"
           direction = "inbound"
           tcp = {
-            port_min        = 443
-            port_max        = 443
             source_port_min = 443
             source_port_max = 443
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         },
+        {
+          name      = "allow-443-inbound-dest"
+          action    = "allow"
+          direction = "inbound"
+          tcp = {
+            port_max = 443
+            port_min = 443
+          }
+          destination = "0.0.0.0/0"
+          source      = "0.0.0.0/0"
+        },
         {
           name      = "allow-all-80-inbound"
           action    = "allow"
           direction = "inbound"
           tcp = {
-            port_min        = 80
-            port_max        = 80
             source_port_min = 80
             source_port_max = 80
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         },
         {
-          name      = "allow-all-22-inbound"
+          name      = "allow-all-ingress-inbound"
           action    = "allow"
           direction = "inbound"
           tcp = {
-            port_min        = 22
-            port_max        = 22
-            source_port_min = 22
-            source_port_max = 22
+            source_port_min = 30000
+            source_port_max = 32767
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         },
         {
-          name      = "allow-all-443-outbound"
+          name      = "allow-443-outbound-source"
           action    = "allow"
           direction = "outbound"
           tcp = {
             source_port_min = 443
             source_port_max = 443
-            port_min        = 443
-            port_max        = 443
+          }
+          destination = "0.0.0.0/0"
+          source      = "0.0.0.0/0"
+        },
+        {
+          name      = "allow-443-outbound-dest"
+          action    = "allow"
+          direction = "outbound"
+          tcp = {
+            port_min = 443
+            port_max = 443
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
@@ -1760,23 +1774,19 @@ variable "network_acls" {
           action    = "allow"
           direction = "outbound"
           tcp = {
-            source_port_min = 80
-            source_port_max = 80
-            port_min        = 80
-            port_max        = 80
+            port_min = 80
+            port_max = 80
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         },
         {
-          name      = "allow-all-22-outbound"
+          name      = "allow-all-ingress-outbound"
           action    = "allow"
           direction = "outbound"
           tcp = {
-            source_port_min = 22
-            source_port_max = 22
-            port_min        = 22
-            port_max        = 22
+            port_min = 30000
+            port_max = 32767
           }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
diff --git a/tests/other_test.go b/tests/other_test.go
@@ -219,10 +219,19 @@ func TestMonolithExample(t *testing.T) {
 		DeleteWorkspaceOnFail:  false,
 		WaitJobCompleteMinutes: 240,
 		IgnoreAdds: testhelper.Exemptions{
-			List: []string{"module.monolith_add_ons.module.scc_wp.restapi_object.cspm"},
+			List: []string{
+				"module.monolith_add_ons.module.scc_wp.restapi_object.cspm",
+			},
 		},
 		IgnoreUpdates: testhelper.Exemptions{
-			List: []string{"module.ocp_base.ibm_container_addons.addons"},
+			List: []string{
+				"module.ocp_base.ibm_container_addons.addons",
+				"module.logs_agent.helm_release.logs_agent",
+				"module.monitoring_agent.helm_release.cloud_monitoring_agent",
+				// Have to ignore account settings as other tests may be updating them concurrently
+				// which can cause consistency test to fail if not ignored.
+				"module.monolith_add_ons.module.metrics_routing[0].ibm_metrics_router_settings.metrics_router_settings[0]",
+			},
 		},
 	})
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
