Merge branch 'main' into main

Author: Aashiq-J

README.md

@@ -50,7 +50,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
@@ -88,7 +88,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
-| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.15.0, <3.0.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0.0, <4.0.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 |
 
 ### Modules
@@ -111,7 +111,7 @@ No modules.
 | <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. | `string` | `null` | no |
 | <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the agent image from. | `string` | `"agent-slim"` | no |
-| <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.1.0@sha256:2c6401018cfe3f5fcbd0713b64b096c38d47de1b5cd6c11de4691912752263fc"` | no |
+| <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.2.0@sha256:cd9f6c5588280cdb60d07264b812f6635c57557020cdd131757e1c986431cd23"` | no |
 | <a name="input_agent_limits_cpu"></a> [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
 | <a name="input_agent_limits_memory"></a> [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no |
 | <a name="input_agent_requests_cpu"></a> [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specify CPU resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
@@ -120,13 +120,13 @@ No modules.
 | <a name="input_blacklisted_ports"></a> [blacklisted\_ports](#input\_blacklisted\_ports) | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports | `list(number)` | `[]` | no |
 | <a name="input_chart"></a> [chart](#input\_chart) | The name of the Helm chart to deploy. Use `chart_location` to specify helm chart location. | `string` | `"sysdig-deploy"` | no |
 | <a name="input_chart_location"></a> [chart\_location](#input\_chart\_location) | The location of the agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the agent helm chart to deploy. | `string` | `"1.91.2"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the agent helm chart to deploy. | `string` | `"1.93.0"` | no |
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in. | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
 | <a name="input_cluster_shield_deploy"></a> [cluster\_shield\_deploy](#input\_cluster\_shield\_deploy) | Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm. | `bool` | `true` | no |
 | <a name="input_cluster_shield_image_repository"></a> [cluster\_shield\_image\_repository](#input\_cluster\_shield\_image\_repository) | The image repository to pull the Cluster Shield image from. | `string` | `"cluster-shield"` | no |
-| <a name="input_cluster_shield_image_tag_digest"></a> [cluster\_shield\_image\_tag\_digest](#input\_cluster\_shield\_image\_tag\_digest) | The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"1.14.0@sha256:abbff90f7884a91d4558476b7b43bb2ae0c72f486c2cf95e729f699116695e52"` | no |
+| <a name="input_cluster_shield_image_tag_digest"></a> [cluster\_shield\_image\_tag\_digest](#input\_cluster\_shield\_image\_tag\_digest) | The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"1.15.0@sha256:a8a733fe8e06fcba0eaeff3d078db74e40197d6e03608efba3bbe3c11990bfe6"` | no |
 | <a name="input_cluster_shield_limits_cpu"></a> [cluster\_shield\_limits\_cpu](#input\_cluster\_shield\_limits\_cpu) | Specify CPU resource limits for the cluster shield pods. | `string` | `"1500m"` | no |
 | <a name="input_cluster_shield_limits_memory"></a> [cluster\_shield\_limits\_memory](#input\_cluster\_shield\_limits\_memory) | Specify memory resource limits for the cluster shield pods. | `string` | `"1536Mi"` | no |
 | <a name="input_cluster_shield_requests_cpu"></a> [cluster\_shield\_requests\_cpu](#input\_cluster\_shield\_requests\_cpu) | Specify CPU resource requests for the cluster shield pods. | `string` | `"500m"` | no |

common-dev-assets

@@ -108,7 +108,7 @@ resource "time_sleep" "wait_operators" {
 
 module "cloud_monitoring" {
   source            = "terraform-ibm-modules/cloud-monitoring/ibm"
-  version           = "1.6.1"
+  version           = "1.6.5"
   instance_name     = "${var.prefix}-cloud-monitoring"
   resource_group_id = module.resource_group.resource_group_id
   resource_tags     = var.resource_tags
@@ -122,7 +122,7 @@ module "cloud_monitoring" {
 
 module "scc_wp" {
   source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
-  version                       = "1.10.13"
+  version                       = "1.11.1"
   name                          = "${var.prefix}-scc-wp"
   resource_group_id             = module.resource_group.resource_group_id
   region                        = var.region

examples/obs-agent-iks/main.tf

@@ -4,7 +4,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate

examples/obs-agent-iks/provider.tf

@@ -10,7 +10,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = "2.15.0"
+      version = "3.0.2"
     }
     # The kubernetes provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
     kubernetes = {

examples/obs-agent-iks/version.tf

@@ -71,7 +71,7 @@ locals {
 
 module "ocp_base" {
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version              = "3.54.4"
+  version              = "3.55.5"
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   tags                 = var.resource_tags
@@ -95,7 +95,7 @@ data "ibm_container_cluster_config" "cluster_config" {
 
 module "cloud_monitoring" {
   source            = "terraform-ibm-modules/cloud-monitoring/ibm"
-  version           = "1.6.1"
+  version           = "1.6.5"
   instance_name     = "${var.prefix}-cloud-monitoring"
   resource_group_id = module.resource_group.resource_group_id
   resource_tags     = var.resource_tags
@@ -109,7 +109,7 @@ module "cloud_monitoring" {
 
 module "scc_wp" {
   source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
-  version                       = "1.10.13"
+  version                       = "1.11.1"
   name                          = "${var.prefix}-scc-wp"
   resource_group_id             = module.resource_group.resource_group_id
   region                        = var.region

examples/obs-agent-ocp/main.tf

@@ -4,7 +4,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate

examples/obs-agent-ocp/provider.tf

@@ -10,7 +10,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 2.15.0"
+      version = ">= 3.0.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

examples/obs-agent-ocp/version.tf

@@ -36,6 +36,17 @@ locals {
   base_endpoint           = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
   ingestion_endpoint      = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
   api_host                = replace(local.ingestion_endpoint, "ingest.", "")
+  dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{
+    name  = "global.sysdig.accessKeySecret"
+    type  = "string"
+    value = var.existing_access_key_secret_name
+  }] : []
+  dynamic_agent_tags = [for k, v in var.agent_tags :
+    {
+      name  = "global.sysdig.tags.${k}"
+      value = v
+    }
+  ]
 }
 
 resource "helm_release" "cloud_monitoring_agent" {
@@ -51,132 +62,114 @@ resource "helm_release" "cloud_monitoring_agent" {
   force_update     = true
   reset_values     = true
 
-  # Values
-  set {
-    name  = "Values.image.repository"
-    type  = "string"
-    value = var.image_registry_base_url
-  }
-
-  # Global
-  set {
-    name  = "global.imageRegistry"
-    type  = "string"
-    value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
-  }
-  set {
-    name  = "global.sysdig.apiHost"
-    value = local.api_host
-  }
-  dynamic "set_sensitive" {
-    for_each = var.access_key != null && var.access_key != "" ? [1] : []
-    content {
-      name  = "global.sysdig.accessKey"
+  set = concat([
+    # Values
+    {
+      name  = "Values.image.repository"
       type  = "string"
-      value = var.access_key
-    }
-  }
-  dynamic "set" {
-    for_each = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [1] : []
-    content {
-      name  = "global.sysdig.accessKeySecret"
+      value = var.image_registry_base_url
+    },
+    # Global
+    {
+      name  = "global.imageRegistry"
       type  = "string"
-      value = var.existing_access_key_secret_name
-    }
-  }
-  set {
-    name  = "global.clusterConfig.name"
-    type  = "string"
-    value = local.cluster_name
-  }
-  set {
-    name  = "global.sysdig.tags.deployment"
-    type  = "string"
-    value = var.deployment_tag
-  }
-  set {
-    name  = "global.sysdig.tags.ibm-containers-kubernetes-cluster-name"
-    type  = "string"
-    value = var.add_cluster_name ? local.cluster_name : null
-  }
-  dynamic "set" {
-    for_each = var.agent_tags
-    content {
-      name  = "global.sysdig.tags.${set.key}"
-      value = set.value
+      value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
+    },
+    {
+      name  = "global.sysdig.apiHost"
+      value = local.api_host
+    },
+    {
+      name  = "global.clusterConfig.name"
+      type  = "string"
+      value = local.cluster_name
+    },
+    {
+      name  = "global.sysdig.tags.deployment"
+      type  = "string"
+      value = var.deployment_tag
+    },
+    {
+      name  = "global.sysdig.tags.ibm-containers-kubernetes-cluster-name"
+      type  = "string"
+      value = var.add_cluster_name ? local.cluster_name : null
+    },
+    # Cluster shield
+    {
+      name  = "clusterShield.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.image.repository"
+      value = var.cluster_shield_image_repository
+    },
+    {
+      name  = "clusterShield.image.tag"
+      value = var.cluster_shield_image_tag_digest
+    },
+    {
+      name  = "clusterShield.resources.requests.cpu"
+      type  = "string"
+      value = var.cluster_shield_requests_cpu
+    },
+    {
+      name  = "clusterShield.resources.requests.memory"
+      type  = "string"
+      value = var.cluster_shield_requests_memory
+    },
+    {
+      name  = "clusterShield.resources.limits.cpu"
+      type  = "string"
+      value = var.cluster_shield_limits_cpu
+    },
+    {
+      name  = "clusterShield.resources.limits.memory"
+      type  = "string"
+      value = var.cluster_shield_limits_memory
+    },
+    {
+      name  = "clusterShield.cluster_shield.sysdig_endpoint.region"
+      type  = "string"
+      value = "custom"
+    },
+    {
+      name  = "clusterShield.cluster_shield.log_level"
+      type  = "string"
+      value = "info"
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.admission_control.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.audit.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.posture.enabled"
+      value = var.cluster_shield_deploy
+    },
+    # nodeAnalyzer has been replaced by the host_scanner and kspm_analyzer functionality of main agent daemonset
+    {
+      name  = "nodeAnalyzer.enabled"
+      value = false
+    },
+    # clusterScanner has been replaced by cluster_shield component
+    {
+      name  = "clusterScanner.enabled"
+      value = false
     }
-  }
+  ], local.dynamic_agent_tags, local.dynamic_set_access_key_secret)
 
-  # Cluster shield
-  set {
-    name  = "clusterShield.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.image.repository"
-    value = var.cluster_shield_image_repository
-  }
-  set {
-    name  = "clusterShield.image.tag"
-    value = var.cluster_shield_image_tag_digest
-  }
-  set {
-    name  = "clusterShield.resources.requests.cpu"
-    type  = "string"
-    value = var.cluster_shield_requests_cpu
-  }
-  set {
-    name  = "clusterShield.resources.requests.memory"
-    type  = "string"
-    value = var.cluster_shield_requests_memory
-  }
-  set {
-    name  = "clusterShield.resources.limits.cpu"
-    type  = "string"
-    value = var.cluster_shield_limits_cpu
-  }
-  set {
-    name  = "clusterShield.resources.limits.memory"
+  set_sensitive = var.access_key != null && var.access_key != "" ? [{
+    name  = "global.sysdig.accessKey"
     type  = "string"
-    value = var.cluster_shield_limits_memory
-  }
-  set {
-    name  = "clusterShield.cluster_shield.sysdig_endpoint.region"
-    type  = "string"
-    value = "custom"
-  }
-  set {
-    name  = "clusterShield.cluster_shield.log_level"
-    type  = "string"
-    value = "info"
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.admission_control.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.audit.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.posture.enabled"
-    value = var.cluster_shield_deploy
-  }
-
-  # nodeAnalyzer has been replaced by the host_scanner and kspm_analyzer functionality of main agent daemonset
-  set {
-    name  = "nodeAnalyzer.enabled"
-    value = false
-  }
-  # clusterScanner has been replaced by cluster_shield component
-  set {
-    name  = "clusterScanner.enabled"
-    value = false
-  }
+    value = var.access_key
+  }] : []
 
   # Had to use raw yaml here instead of converting HCL to yaml due to this issue with boolean getting converted to string which sysdig helm chart rejects:
   # https://github.com/hashicorp/terraform-provider-helm/issues/1677

main.tf

@@ -9,7 +9,7 @@ provider "kubernetes" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate