feat: use common helm

Author: Jordan-Williams2

README.md

@@ -82,7 +82,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [helm_release.logs_agent](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.sysdig_agent](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [ibm_container_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster) | data source |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_cluster) | data source |
@@ -91,29 +91,21 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_agent_additional_metadata"></a> [agent\_additional\_metadata](#input\_agent\_additional\_metadata) | The list of additional metadata fields to add to the routed logs. | <pre>list(object({<br/>    key   = optional(string)<br/>    value = optional(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_agent_iam_api_key"></a> [agent\_iam\_api\_key](#input\_agent\_iam\_api\_key) | The IBM Cloud API key for the Logs agent to authenticate and communicate with the IBM Cloud Logs. | `string` | n/a | yes |
+| <a name="input_agent_name"></a> [agent\_name](#input\_agent\_name) | The name of the Logs agent. The name is used in all Kubernetes and Helm resources in the cluster. | `string` | `"logs-agent"` | no |
+| <a name="input_agent_namespace"></a> [agent\_namespace](#input\_agent\_namespace) | The namespace where the Logs agent is deployed. The default value is `ibm-agent`. | `string` | `"ibm-agent"` | no |
+| <a name="input_agent_resources"></a> [agent\_resources](#input\_agent\_resources) | The resources configuration for cpu/memory/storage. [Learn More](https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-agent-helm-template-clusters#agent-helm-template-clusters-chart-options-resources) | <pre>object({<br/>    limits = object({<br/>      cpu    = string<br/>      memory = string<br/>    })<br/>    requests = object({<br/>      cpu    = string<br/>      memory = string<br/>    })<br/>  })</pre> | <pre>{<br/>  "limits": {<br/>    "cpu": "500m",<br/>    "memory": "3Gi"<br/>  },<br/>  "requests": {<br/>    "cpu": "100m",<br/>    "memory": "1Gi"<br/>  }<br/>}</pre> | no |
+| <a name="input_agent_tolerations"></a> [agent\_tolerations](#input\_agent\_tolerations) | List of tolerations to apply to Logs agent. The default value means a pod will run on every node. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
+| <a name="input_chart_location"></a> [chart\_location](#input\_chart\_location) | The location of the Helm chart for the Sysdig agent. | `string` | `"sysdig-deploy"` | no |
+| <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | The repository URL for the Sysdig Helm chart. | `string` | `"https://charts.sysdig.com"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the Sysdig Helm chart to deploy. | `string` | `"1.14.6"` | no |
 | <a name="input_cloud_logs_ingress_endpoint"></a> [cloud\_logs\_ingress\_endpoint](#input\_cloud\_logs\_ingress\_endpoint) | The host for IBM Cloud Logs ingestion. Ensure you use the ingress endpoint. See https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-endpoints_ingress. | `string` | n/a | yes |
-| <a name="input_cloud_logs_ingress_port"></a> [cloud\_logs\_ingress\_port](#input\_cloud\_logs\_ingress\_port) | The target port for the IBM Cloud Logs ingestion endpoint. The port must be 443 if you connect by using a VPE gateway, or port 3443 when you connect by using CSEs. | `number` | `3443` | no |
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | The type of endpoint to use for the cluster config access: `default`, `private`, `vpe`, or `link`. The `default` value uses the default endpoint of the cluster. | `string` | `"default"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster to deploy the agent. | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
 | <a name="input_is_vpc_cluster"></a> [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster for the agent is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
-| <a name="input_logs_agent_additional_log_source_paths"></a> [logs\_agent\_additional\_log\_source\_paths](#input\_logs\_agent\_additional\_log\_source\_paths) | The list of additional log sources. By default, the Logs agent collects logs from a single source at `/var/log/containers/*.log`. | `list(string)` | `[]` | no |
-| <a name="input_logs_agent_additional_metadata"></a> [logs\_agent\_additional\_metadata](#input\_logs\_agent\_additional\_metadata) | The list of additional metadata fields to add to the routed logs. | <pre>list(object({<br/>    key   = optional(string)<br/>    value = optional(string)<br/>  }))</pre> | `[]` | no |
-| <a name="input_logs_agent_chart_location"></a> [logs\_agent\_chart\_location](#input\_logs\_agent\_chart\_location) | The location of the Helm chart for the Logs agent. | `string` | `"oci://icr.io/ibm/observe/logs-agent-helm"` | no |
-| <a name="input_logs_agent_chart_version"></a> [logs\_agent\_chart\_version](#input\_logs\_agent\_chart\_version) | The version of the helm chart to deploy. | `string` | `"1.4.2"` | no |
-| <a name="input_logs_agent_enable_scc"></a> [logs\_agent\_enable\_scc](#input\_logs\_agent\_enable\_scc) | Whether to enable creation of Security Context Constraints in Openshift. When installing on an OpenShift cluster, this setting is mandatory to configure permissions for pods within your cluster. | `bool` | `true` | no |
-| <a name="input_logs_agent_exclude_log_source_paths"></a> [logs\_agent\_exclude\_log\_source\_paths](#input\_logs\_agent\_exclude\_log\_source\_paths) | The list of log sources to exclude. Specify the paths that the Logs agent ignores. | `list(string)` | `[]` | no |
-| <a name="input_logs_agent_iam_api_key"></a> [logs\_agent\_iam\_api\_key](#input\_logs\_agent\_iam\_api\_key) | The IBM Cloud API key for the Logs agent to authenticate and communicate with the IBM Cloud Logs. It is required if `logs_agent_iam_mode` is set to `IAMAPIKey`. | `string` | `null` | no |
-| <a name="input_logs_agent_iam_environment"></a> [logs\_agent\_iam\_environment](#input\_logs\_agent\_iam\_environment) | IAM authentication Environment: `Production` or `PrivateProduction` or `Staging` or `PrivateStaging`. `Production` specifies the public endpoint & `PrivateProduction` specifies the private endpoint. | `string` | `"PrivateProduction"` | no |
-| <a name="input_logs_agent_iam_mode"></a> [logs\_agent\_iam\_mode](#input\_logs\_agent\_iam\_mode) | IAM authentication mode: `TrustedProfile` or `IAMAPIKey`. | `string` | `"TrustedProfile"` | no |
-| <a name="input_logs_agent_log_source_namespaces"></a> [logs\_agent\_log\_source\_namespaces](#input\_logs\_agent\_log\_source\_namespaces) | The list of namespaces from which logs should be forwarded by agent. If namespaces are not listed, logs from all namespaces will be sent. | `list(string)` | `[]` | no |
-| <a name="input_logs_agent_name"></a> [logs\_agent\_name](#input\_logs\_agent\_name) | The name of the Logs agent. The name is used in all Kubernetes and Helm resources in the cluster. | `string` | `"logs-agent"` | no |
-| <a name="input_logs_agent_namespace"></a> [logs\_agent\_namespace](#input\_logs\_agent\_namespace) | The namespace where the Logs agent is deployed. The default value is `ibm-agent`. | `string` | `"ibm-agent"` | no |
-| <a name="input_logs_agent_resources"></a> [logs\_agent\_resources](#input\_logs\_agent\_resources) | The resources configuration for cpu/memory/storage. [Learn More](https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-agent-helm-template-clusters#agent-helm-template-clusters-chart-options-resources) | <pre>object({<br/>    limits = object({<br/>      cpu    = string<br/>      memory = string<br/>    })<br/>    requests = object({<br/>      cpu    = string<br/>      memory = string<br/>    })<br/>  })</pre> | <pre>{<br/>  "limits": {<br/>    "cpu": "500m",<br/>    "memory": "3Gi"<br/>  },<br/>  "requests": {<br/>    "cpu": "100m",<br/>    "memory": "1Gi"<br/>  }<br/>}</pre> | no |
-| <a name="input_logs_agent_selected_log_source_paths"></a> [logs\_agent\_selected\_log\_source\_paths](#input\_logs\_agent\_selected\_log\_source\_paths) | The list of specific log sources paths. Logs will only be collected from the specified log source paths. If no paths are specified, it will send logs from `/var/log/containers`. | `list(string)` | `[]` | no |
-| <a name="input_logs_agent_tolerations"></a> [logs\_agent\_tolerations](#input\_logs\_agent\_tolerations) | List of tolerations to apply to Logs agent. The default value means a pod will run on every node. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
-| <a name="input_logs_agent_trusted_profile"></a> [logs\_agent\_trusted\_profile](#input\_logs\_agent\_trusted\_profile) | The IBM Cloud trusted profile ID. Used only when `logs_agent_iam_mode` is set to `TrustedProfile`. The trusted profile must have an IBM Cloud Logs `Sender` role. | `string` | `null` | no |
-| <a name="input_logs_agent_version"></a> [logs\_agent\_version](#input\_logs\_agent\_version) | The version of the Logs agent to deploy. | `string` | `"1.4.2"` | no |
+| <a name="input_node_analyzer_enabled"></a> [node\_analyzer\_enabled](#input\_node\_analyzer\_enabled) | Enable or disable the Node Analyzer feature in the Sysdig agent. | `bool` | `true` | no |
 | <a name="input_wait_till"></a> [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal` | `string` | `"Normal"` | no |
 | <a name="input_wait_till_timeout"></a> [wait\_till\_timeout](#input\_wait\_till\_timeout) | Timeout for wait\_till in minutes. | `number` | `90` | no |
 

examples/logs-agent-iks/main.tf

@@ -148,9 +148,6 @@ module "logs_agent" {
   is_vpc_cluster            = var.is_vpc_cluster
   cluster_resource_group_id = module.resource_group.resource_group_id
   # Logs Agent
-  logs_agent_iam_mode         = "IAMAPIKey"
-  logs_agent_iam_api_key      = module.iam_service_id.service_id_apikey
+  agent_iam_api_key           = module.iam_service_id.service_id_apikey
   cloud_logs_ingress_endpoint = module.cloud_logs.ingress_private_endpoint
-  cloud_logs_ingress_port     = 3443
-  logs_agent_enable_scc       = false # only true for Openshift
 }

examples/logs-agent-ocp/main.tf

@@ -11,37 +11,24 @@ module "resource_group" {
 }
 
 ##############################################################################
-# Trusted Profile
+# Service ID with logs sender role + apikey
 ##############################################################################
 
-locals {
-  logs_agent_namespace = "ibm-agent"
-  logs_agent_name      = "logs-agent"
-}
-
-
-module "trusted_profile" {
-  source                      = "terraform-ibm-modules/trusted-profile/ibm"
-  version                     = "1.0.5"
-  trusted_profile_name        = "${var.prefix}-profile"
-  trusted_profile_description = "Logs agent Trusted Profile"
-  # As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agent and routers sending logs.
-  trusted_profile_policies = [{
-    roles = ["Sender"]
-    resources = [{
-      service = "logs"
-    }]
-  }]
-  # Set up fine-grained authorization for `logs-agent` running in ROKS cluster in `ibm-agent` namespace.
-  trusted_profile_links = [{
-    cr_type = "ROKS_SA"
-    links = [{
-      crn       = module.ocp_base.cluster_crn
-      namespace = local.logs_agent_namespace
-      name      = local.logs_agent_name
-    }]
+# As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agent and routers sending logs.
+module "iam_service_id" {
+  source                          = "terraform-ibm-modules/iam-service-id/ibm"
+  version                         = "1.2.0"
+  iam_service_id_name             = "${var.prefix}-service-id"
+  iam_service_id_description      = "Logs Agent service id"
+  iam_service_id_apikey_provision = true
+  iam_service_policies = {
+    logs = {
+      roles = ["Sender"]
+      resources = [{
+        service = "logs"
+      }]
     }
-  ]
+  }
 }
 
 ########################################################################################################################
@@ -172,23 +159,27 @@ module "vpe" {
 # Logs Agent
 ##############################################################################
 
+locals {
+  agent_namespace = "ibm-agent"
+  agent_name      = "logs-agent"
+}
+
 module "logs_agent" {
   source                    = "../.."
   depends_on                = [module.vpe]
   cluster_id                = module.ocp_base.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
   # Logs agent
-  logs_agent_trusted_profile  = module.trusted_profile.trusted_profile.id
-  logs_agent_namespace        = local.logs_agent_namespace
-  logs_agent_name             = local.logs_agent_name
+  agent_namespace             = local.agent_namespace
+  agent_name                  = local.agent_name
   cloud_logs_ingress_endpoint = module.cloud_logs.ingress_private_endpoint
-  cloud_logs_ingress_port     = 443
+  agent_iam_api_key           = module.iam_service_id.service_id_apikey
   # example of how to add additional metadata to the logs agent
-  logs_agent_additional_metadata = [{
+  agent_additional_metadata = [{
     key   = "cluster_id"
     value = module.ocp_base.cluster_id
   }]
-  logs_agent_resources = {
+  agent_resources = {
     limits = {
       cpu    = "500m"
       memory = "3Gi"
@@ -198,6 +189,4 @@ module "logs_agent" {
       memory = "1Gi"
     }
   }
-  # example of how to add additional log source path
-  logs_agent_additional_log_source_paths = ["/logs/*.log"]
 }

ibm_catalog.json

@@ -90,94 +90,40 @@
                 "key": "is_vpc_cluster",
                 "required": true
               },
-              {
-                "key": "is_ocp_cluster",
-                "required": true
-              },
               {
                 "key": "cloud_logs_ingress_endpoint",
                 "required": true
               },
               {
-                "key": "cloud_logs_ingress_port",
+                "key": "agent_iam_api_key",
                 "required": true
               },
               {
-                "key": "logs_agent_trusted_profile_id",
-                "required": true
-              },
-              {
-                "key": "logs_agent_chart_location"
-              },
-              {
-                "key": "logs_agent_chart_version"
-              },
-              {
-                "key": "logs_agent_version"
-              },
-              {
-                "key": "logs_agent_resources"
-              },
-              {
-                "key": "logs_agent_additional_log_source_paths"
-              },
-              {
-                "key": "logs_agent_additional_metadata"
-              },
-              {
-                "key": "logs_agent_exclude_log_source_paths"
+                "key": "node_analyzer_enabled"
               },
               {
-                "key": "logs_agent_iam_api_key"
+                "key": "chart_location"
               },
               {
-                "key": "logs_agent_iam_environment",
-                "options": [
-                  {
-                    "displayname": "Production",
-                    "value": "Production"
-                  },
-                  {
-                    "displayname": "Private Production",
-                    "value": "PrivateProduction"
-                  },
-                  {
-                    "displayname": "Staging",
-                    "value": "Staging"
-                  },
-                  {
-                    "displayname": "Private Staging",
-                    "value": "PrivateStaging"
-                  }
-                ]
+                "key": "chart_repository"
               },
               {
-                "key": "logs_agent_iam_mode",
-                "options": [
-                  {
-                    "displayname": "Trusted Profile",
-                    "value": "TrustedProfile"
-                  },
-                  {
-                    "displayname": "IAM API Key",
-                    "value": "IAMAPIKey"
-                  }
-                ]
+                "key": "chart_version"
               },
               {
-                "key": "logs_agent_log_source_namespaces"
+                "key": "agent_resources"
               },
               {
-                "key": "logs_agent_name"
+                "key": "agent_additional_metadata"
               },
               {
-                "key": "logs_agent_namespace"
+                "key": "agent_name"
               },
               {
-                "key": "logs_agent_selected_log_source_paths"
+                "key": "agent_namespace"
               },
               {
-                "key": "logs_agent_tolerations"
+                "key": "agent_tolerations"
               },
               {
                 "key": "cluster_config_endpoint_type"