terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 11 additions & 3 deletions b/‎README.md‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎examples/obs-agent-iks/main.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/obs-agent-iks/main.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/obs-agent-iks/version.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/obs-agent-iks/version.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/obs-agent-ocp/main.tf‎
Lines changed: 6 additions & 5 deletions b/‎examples/obs-agent-ocp/main.tf‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎examples/obs-agent-ocp/outputs.tf‎
Lines changed: 30 additions & 5 deletions b/‎examples/obs-agent-ocp/outputs.tf‎
Lines changed: 30 additions & 5 deletions
diff --git a/‎examples/obs-agent-ocp/variables.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/obs-agent-ocp/variables.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/obs-agent-ocp/version.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/obs-agent-ocp/version.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ibm_catalog.json‎
Lines changed: 24 additions & 0 deletions b/‎ibm_catalog.json‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎main.tf‎
Lines changed: 56 additions & 11 deletions b/‎main.tf‎
Lines changed: 56 additions & 11 deletions
diff --git a/‎reference-architecture/deployable-architecture-monitoring-agent.svg‎
Lines changed: 1 addition & 1 deletion b/‎reference-architecture/deployable-architecture-monitoring-agent.svg‎
Lines changed: 1 addition & 1 deletion
@@ -83,7 +83,7 @@ You need the following permissions to run this module.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.15.0, <3.0.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.1, <2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.0, <2.0.0 |
 
 ### Modules
 
@@ -102,9 +102,16 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the IBM Cloud Monitoring agent to communicate with the instance | `string` | n/a | yes |
+| <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the IBM Cloud Monitoring agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored on a new secret on the cluster if passed. | `string` | `null` | no |
+| <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the Cloud Monitoring agent image from. | `string` | `"agent-slim"` | no |
 | <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent. | `string` | `"13.9.2@sha256:0dcdb6d70bab60dae4bf5f70c338f2feb9daeba514f1b8ad513ed24724c2a04d"` | no |
+| <a name="input_agent_limits_cpu"></a> [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specifies the CPU limit for the agent. | `string` | `"1"` | no |
+| <a name="input_agent_limits_memory"></a> [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specifies the memory limit for the agent. | `string` | `"1024Mi"` | no |
+| <a name="input_agent_requests_cpu"></a> [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specifies the CPU requested to run in a node for the agent. | `string` | `"1"` | no |
+| <a name="input_agent_requests_memory"></a> [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specifies the memory requested to run in a node for the agent. | `string` | `"1024Mi"` | no |
+| <a name="input_agent_tags"></a> [agent\_tags](#input\_agent\_tags) | Map of tags to associate to all metrics that the agent collects. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag, e.g `{'environment': 'production'}.` | `map(string)` | `{}` | no |
+| <a name="input_blacklisted_ports"></a> [blacklisted\_ports](#input\_blacklisted\_ports) | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports). | `list(number)` | `[]` | no |
 | <a name="input_chart"></a> [chart](#input\_chart) | The name of the Helm chart to deploy. | `string` | `"sysdig-deploy"` | no |
 | <a name="input_chart_location"></a> [chart\_location](#input\_chart\_location) | The location of the Cloud Monitoring agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the Cloud Monitoring agent helm chart to deploy. | `string` | `"1.85.1"` | no |
@@ -114,12 +121,13 @@ No modules.
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The Resource Group ID of the cluster | `string` | n/a | yes |
 | <a name="input_container_filter"></a> [container\_filter](#input\_container\_filter) | To filter custom containers, specify which containers to include or exclude from metrics collection for the cloud monitoring agent. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data. | <pre>list(object({<br/>    type      = string<br/>    parameter = string<br/>    name      = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_existing_access_key_secret_name"></a> [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using the Sysdig Agent `access_key`. Specify the name of a Kubernetes secret containing an access-key entry. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
 | <a name="input_image_registry_base_url"></a> [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc. | `string` | `"icr.io"` | no |
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull the Cloud Monitoring agent images from. | `string` | `"ext/sysdig"` | no |
 | <a name="input_is_vpc_cluster"></a> [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster for the monitoring agent is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
 | <a name="input_kernal_module_image_repository"></a> [kernal\_module\_image\_repository](#input\_kernal\_module\_image\_repository) | The image repository to pull the Cloud Monitoring agent kernal module initContainer image from. | `string` | `"agent-kmodule"` | no |
 | <a name="input_kernel_module_image_tag_digest"></a> [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent kernel module used by the initContainer. | `string` | `"13.9.2@sha256:a6b301f24557c5e14ab5abe62577340e7ab33ce11f33cfcd4797296d1603184a"` | no |
-| <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics. | <pre>list(object({<br/>    type = string<br/>    name = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics. | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Cloud Monitoring agent name. Used for naming all kubernetes and helm resources on the cluster. | `string` | `"sysdig-agent"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace where to deploy the Cloud Monitoring agent. Default value is 'ibm-observe' | `string` | `"ibm-observe"` | no |
 | <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | List of tolerations to apply to Cloud Monitoring agent. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  },<br/>  {<br/>    "effect": "NoSchedule",<br/>    "key": "node-role.kubernetes.io/master",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
 
@@ -62,7 +62,7 @@ locals {
 
 module "ocp_base" {
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version              = "3.49.1"
+  version              = "3.49.2"
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   tags                 = var.resource_tags
 
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = "1.78.2"
+      version = "1.79.0"
     }
     helm = {
       source  = "hashicorp/helm"
 
@@ -62,7 +62,7 @@ locals {
 
 module "ocp_base" {
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version              = "3.49.1"
+  version              = "3.49.2"
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   tags                 = var.resource_tags
@@ -104,9 +104,10 @@ module "monitoring_agents" {
   cluster_id                = module.ocp_base.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
   # Monitoring agent
-  access_key = module.cloud_monitoring.access_key
-  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  metrics_filter                   = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
-  container_filter                 = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  access_key                       = module.cloud_monitoring.access_key
   cloud_monitoring_instance_region = var.region
+  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
+  metrics_filter    = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+  container_filter  = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  blacklisted_ports = [22, 2379, 3306]
 }
@@ -2,10 +2,35 @@
 # Outputs
 ##############################################################################
 
-#output "myoutput" {
-#  description = "Description of my output"
-#  value       = "value"
-#  depends_on  = [<some resource>]
-#}
+output "region" {
+  description = "The region where the resources are deployed."
+  value       = var.region
+}
+
+output "cloud_monitoring_name" {
+  description = "The name of the IBM Cloud Monitoring instance."
+  value       = module.cloud_monitoring.name
+}
+
+output "cloud_monitoring_access_key" {
+  description = "The access key that is used by the IBM Cloud Monitoring agent to communicate with the instance."
+  value       = module.cloud_monitoring.access_key
+  sensitive   = true
+}
+
+output "cluster_name" {
+  description = "The name of the OpenShift cluster."
+  value       = module.ocp_base.cluster_name
+}
+
+output "cluster_id" {
+  description = "The ID of the OpenShift cluster."
+  value       = module.ocp_base.cluster_id
+}
+
+output "cluster_resource_group_id" {
+  description = "The resource group ID of the cluster."
+  value       = module.resource_group.resource_group_id
+}
 
 ##############################################################################
@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "A prefix for the name of all resources that are created by this example"
-  default     = "obs-agent-ocp"
+  default     = "mon-agent"
 }
 
 variable "resource_group" {
@@ -31,7 +31,7 @@ variable "access_tags" {
 variable "region" {
   type        = string
   description = "The region where the resources are created."
-  default     = "au-syd"
+  default     = "us-south"
 }
 
 variable "ocp_version" {
 
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.71.0"
+      version = ">= 1.79.0"
     }
     helm = {
       source  = "hashicorp/helm"
 
@@ -158,6 +158,27 @@
             {
               "key": "namespace"
             },
+            {
+              "key": "existing_access_key_secret_name"
+            },
+            {
+              "key": "add_cluster_name"
+            },
+            {
+              "key": "agent_tags"
+            },
+            {
+              "key": "agent_requests_cpu"
+            },
+            {
+              "key": "agent_limits_cpu"
+            },
+            {
+              "key": "agent_requests_memory"
+            },
+            {
+              "key": "agent_limits_memory"
+            },
             {
               "key": "tolerations"
             },
@@ -174,6 +195,9 @@
                 }
               ]
             },
+            {
+              "key": "blacklisted_ports"
+            },
             {
               "key": "metrics_filter"
             },
 
@@ -65,10 +65,21 @@ resource "helm_release" "cloud_monitoring_agent" {
     name  = "agent.slim.enabled"
     value = true
   }
-  set {
-    name  = "global.sysdig.accessKey"
-    type  = "string"
-    value = var.access_key
+  dynamic "set_sensitive" {
+    for_each = var.access_key != null && var.access_key != "" ? [1] : []
+    content {
+      name  = "global.sysdig.accessKey"
+      type  = "string"
+      value = var.access_key
+    }
+  }
+  dynamic "set" {
+    for_each = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [1] : []
+    content {
+      name  = "global.sysdig.accessKeySecret"
+      type  = "string"
+      value = var.existing_access_key_secret_name
+    }
   }
   set {
     name  = "global.clusterConfig.name"
@@ -95,6 +106,26 @@ resource "helm_release" "cloud_monitoring_agent" {
     type  = "string"
     value = var.agent_image_tag_digest
   }
+  set {
+    name  = "agent.resources.requests.cpu"
+    type  = "string"
+    value = var.agent_requests_cpu
+  }
+  set {
+    name  = "agent.resources.requests.memory"
+    type  = "string"
+    value = var.agent_requests_memory
+  }
+  set {
+    name  = "agent.resources.limits.cpu"
+    type  = "string"
+    value = var.agent_limits_cpu
+  }
+  set {
+    name  = "agent.resources.limits.memory"
+    type  = "string"
+    value = var.agent_limits_memory
+  }
   set {
     name  = "agent.slim.kmoduleImage.digest"
     type  = "string"
@@ -107,13 +138,27 @@ resource "helm_release" "cloud_monitoring_agent" {
     value = false
   }
 
-  values = [yamlencode({
-    metrics_filter = var.metrics_filter
-    }), yamlencode({
-    tolerations = var.tolerations
-    }), yamlencode({
-    container_filter = var.container_filter
-  })]
+  # Values to be passed to the agent config map, e.g `kubectl describe configmap sysdig-agent -n ibm-observe`
+  values = [
+    yamlencode({
+      agent = {
+        sysdig = {
+          settings = {
+            blacklisted_ports = var.blacklisted_ports
+            metrics_filter    = var.metrics_filter
+            container_filter  = var.container_filter
+          }
+          tags = merge(
+            var.agent_tags,
+            var.add_cluster_name ? {
+              "ibm-containers-kubernetes-cluster-name" = local.cluster_name
+            } : {}
+          )
+        },
+        tolerations = var.tolerations
+      }
+    })
+  ]
 
   provisioner "local-exec" {
     command     = "${path.module}/scripts/confirm-rollout-status.sh ${var.name} ${var.namespace}"
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ terraform {`
`6`	`6`	`required_providers {`
`7`	`7`	`ibm = {`
`8`	`8`	`source = "ibm-cloud/ibm"`
`9`		`- version = "1.78.2"`
	`9`	`+ version = "1.79.0"`
`10`	`10`	`}`
`11`	`11`	`helm = {`
`12`	`12`	`source = "hashicorp/helm"`