feat: add features to new DA helm chart

Author: Jordan-Williams2

README.md

@@ -103,15 +103,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the IBM Cloud Monitoring agent to communicate with the instance | `string` | n/a | yes |
-| <a name="input_access_key_secret"></a> [access\_key\_secret](#input\_access\_key\_secret) | The name of the secret which will store the access key. | `string` | `"sysdig-agent"` | no |
-| <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. | `bool` | `true` | no |
+| <a name="input_access_key_secret"></a> [access\_key\_secret](#input\_access\_key\_secret) | The name of a Kubernetes/Openshift secret containing an access-key entry. | `string` | `null` | no |
+| <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. | `bool` | `false` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the Cloud Monitoring agent image from. | `string` | `"agent-slim"` | no |
 | <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent. | `string` | `"13.9.1@sha256:14860d181a8b712c4150bb59e3ba0ff4be08959e2c45376b32c8eb7ff70461f9"` | no |
 | <a name="input_agent_limits_cpu"></a> [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specifies the CPU limit for the agent. | `string` | `"1"` | no |
 | <a name="input_agent_limits_memory"></a> [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specifies the memory limit for the agent. | `string` | `"1024Mi"` | no |
 | <a name="input_agent_requests_cpu"></a> [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specifies the CPU requested to run in a node for the agent. | `string` | `"1"` | no |
 | <a name="input_agent_requests_memory"></a> [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specifies the memory requested to run in a node for the agent. | `string` | `"1024Mi"` | no |
-| <a name="input_agent_tags"></a> [agent\_tags](#input\_agent\_tags) | List of tags to associate to all matrics that the agent collects. NOTE: Use the 'add\_cluster\_name' variable to add the cluster name as a tag. | `list(string)` | `[]` | no |
+| <a name="input_agent_tags"></a> [agent\_tags](#input\_agent\_tags) | Map of tags to associate to all matrics that the agent collects. NOTE: Use the 'add\_cluster\_name' variable to add the cluster name as a tag, e.g `ibm-containers-kubernetes-cluster-name: cluster_name`. | `map(string)` | `{}` | no |
+| <a name="input_blacklisted_ports"></a> [blacklisted\_ports](#input\_blacklisted\_ports) | To blacklist ports, include the ports you wish to block network traffic and metrics from network ports. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports. | `list(number)` | `[]` | no |
 | <a name="input_chart"></a> [chart](#input\_chart) | The name of the Helm chart to deploy. | `string` | `"sysdig-deploy"` | no |
 | <a name="input_chart_location"></a> [chart\_location](#input\_chart\_location) | The location of the Cloud Monitoring agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the Cloud Monitoring agent helm chart to deploy. | `string` | `"1.84.2"` | no |

common-dev-assets

@@ -26,12 +26,20 @@ resource "ibm_is_vpc" "vpc" {
   tags                      = var.resource_tags
 }
 
+resource "ibm_is_public_gateway" "gateway" {
+  name           = "${var.prefix}-gateway-1"
+  vpc            = ibm_is_vpc.vpc.id
+  resource_group = module.resource_group.resource_group_id
+  zone           = "${var.region}-1"
+}
+
 resource "ibm_is_subnet" "subnet_zone_1" {
   name                     = "${var.prefix}-subnet-1"
   vpc                      = ibm_is_vpc.vpc.id
   resource_group           = module.resource_group.resource_group_id
   zone                     = "${var.region}-1"
   total_ipv4_address_count = 256
+  public_gateway           = ibm_is_public_gateway.gateway.id
 }
 
 ########################################################################################################################
@@ -99,14 +107,14 @@ module "cloud_monitoring" {
 # Monitoring Agents
 ##############################################################################
 
-module "monitoring_agents" {
-  source                    = "../.."
-  cluster_id                = module.ocp_base.cluster_id
-  cluster_resource_group_id = module.resource_group.resource_group_id
-  # Monitoring agent
-  access_key = module.cloud_monitoring.access_key
-  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  metrics_filter                   = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
-  container_filter                 = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
-  cloud_monitoring_instance_region = var.region
-}
+# module "monitoring_agents" {
+#   source                    = "../.."
+#   cluster_id                = module.ocp_base.cluster_id
+#   cluster_resource_group_id = module.resource_group.resource_group_id
+#   # Monitoring agent
+#   access_key = module.cloud_monitoring.access_key
+#   # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
+#   metrics_filter                   = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
+#   container_filter                 = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+#   cloud_monitoring_instance_region = var.region
+# }

examples/obs-agent-ocp/main.tf

@@ -2,10 +2,35 @@
 # Outputs
 ##############################################################################
 
-#output "myoutput" {
-#  description = "Description of my output"
-#  value       = "value"
-#  depends_on  = [<some resource>]
-#}
+output "region" {
+  description = "The region where the resources are deployed."
+  value       = var.region
+}
+
+output "cloud_monitoring_name" {
+  description = "The name of the IBM Cloud Monitoring instance."
+  value       = module.cloud_monitoring.name
+}
+
+output "cloud_monitoring_access_key" {
+  description = "The access key that is used by the IBM Cloud Monitoring agent to communicate with the instance."
+  value       = module.cloud_monitoring.access_key
+  sensitive   = true
+}
+
+output "cluster_name" {
+  description = "The name of the OpenShift cluster."
+  value       = module.ocp_base.cluster_name
+}
+
+output "cluster_id" {
+  description = "The ID of the OpenShift cluster."
+  value       = module.ocp_base.cluster_id
+}
+
+output "cluster_resource_group_id" {
+  description = "The resource group ID of the cluster."
+  value       = module.resource_group.resource_group_id
+}
 
 ##############################################################################

examples/obs-agent-ocp/outputs.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "A prefix for the name of all resources that are created by this example"
-  default     = "obs-agent-ocp"
+  default     = "mon-agent"
 }
 
 variable "resource_group" {
@@ -31,7 +31,7 @@ variable "access_tags" {
 variable "region" {
   type        = string
   description = "The region where the resources are created."
-  default     = "au-syd"
+  default     = "us-south"
 }
 
 variable "ocp_version" {

examples/obs-agent-ocp/variables.tf

@@ -195,6 +195,9 @@
                 }
               ]
             },
+            {
+              "key": "blacklisted_ports"
+            },
             {
               "key": "metrics_filter"
             },

ibm_catalog.json

@@ -30,7 +30,6 @@ data "ibm_container_cluster_config" "cluster_config" {
 locals {
   # LOCALS
   cluster_name   = var.is_vpc_cluster ? data.ibm_container_vpc_cluster.cluster[0].resource_name : data.ibm_container_cluster.cluster[0].resource_name # Not publically documented in provider. See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4485
-  agent_tags     = var.add_cluster_name ? concat(["ibm.containers-kubernetes.cluster.name:${local.cluster_name}"], var.agent_tags) : var.agent_tags
   collector_host = var.cloud_monitoring_instance_endpoint_type == "private" ? "ingest.private.${var.cloud_monitoring_instance_region}.monitoring.cloud.ibm.com" : "ingest.${var.cloud_monitoring_instance_region}.monitoring.cloud.ibm.com"
 }
 
@@ -71,15 +70,13 @@ resource "helm_release" "cloud_monitoring_agent" {
     type  = "string"
     value = var.access_key
   }
-  set {
-    name  = "global.sysdig.accessKeySecret"
-    type  = "string"
-    value = var.access_key_secret
-  }
-  set {
-    name  = "global.sysdig.tags"
-    type  = "string"
-    value = join("\\,", local.agent_tags)
+  dynamic "set" {
+    for_each = var.access_key_secret != null && var.access_key_secret != "" ? [1] : []
+    content {
+      name  = "global.sysdig.accessKeySecret"
+      type  = "string"
+      value = var.access_key_secret
+    }
   }
   set {
     name  = "global.clusterConfig.name"
@@ -139,21 +136,24 @@ resource "helm_release" "cloud_monitoring_agent" {
   }
 
   values = [
-    yamlencode(
-      {
-        metrics_filter = var.metrics_filter
-      }
-    ),
-    yamlencode(
-      {
-        tolerations = var.tolerations
-      }
-    ),
-    yamlencode(
-      {
-        container_filter = var.container_filter
+    yamlencode({
+      agent = {
+        sysdig = {
+          settings = {
+            blacklisted_ports = var.blacklisted_ports
+            metrics_filter    = var.metrics_filter
+            tolerations       = var.tolerations
+            container_filter  = var.container_filter
+          }
+          tags = merge(
+            var.agent_tags,
+            var.add_cluster_name ? {
+              "ibm-containers-kubernetes-cluster-name" = local.cluster_name
+            } : {}
+          )
+        }
       }
-    )
+    })
   ]
 
   provisioner "local-exec" {

main.tf

@@ -25,6 +25,7 @@ module "monitoring_agent" {
   access_key_secret                       = var.access_key_secret
   agent_tags                              = var.agent_tags
   add_cluster_name                        = var.add_cluster_name
+  blacklisted_ports                       = var.blacklisted_ports
   metrics_filter                          = var.metrics_filter
   cloud_monitoring_instance_region        = var.cloud_monitoring_instance_region
   tolerations                             = var.tolerations

solutions/fully-configurable/main.tf

@@ -23,8 +23,8 @@ variable "cluster_resource_group_id" {
 variable "cluster_config_endpoint_type" {
   description = "Specify the type of endpoint to use to access the cluster configuration. Possible values: `default`, `private`, `vpe`, `link`. The `default` value uses the default endpoint of the cluster."
   type        = string
-  default     = "private"
-  nullable    = false # use default if null is passed in
+  default     = "private" # Use 'private' for VPC clusters, 'default' for classic clusters
+  nullable    = false     # use default if null is passed in
 }
 
 variable "is_vpc_cluster" {
@@ -58,9 +58,9 @@ variable "access_key" {
 
 variable "access_key_secret" {
   type        = string
-  description = "The name of the secret which will store the access key."
-  default     = "sysdig-agent"
-  nullable    = false
+  description = "The name of a Kubernetes/Openshift secret containing an access-key entry."
+  default     = null
+  nullable    = true
 }
 
 variable "cloud_monitoring_instance_region" {
@@ -75,25 +75,29 @@ variable "cloud_monitoring_instance_endpoint_type" {
   default     = "private"
 }
 
+variable "blacklisted_ports" {
+  type        = list(number)
+  description = "To blacklist ports, include the ports you wish to block network traffic and metrics from network ports. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports."
+  default     = []
+}
+
 variable "metrics_filter" {
   type = list(object({
-    type = string
-    name = string
+    include = optional(string)
+    exclude = optional(string)
   }))
   description = "To filter on custom metrics, specify the IBM Cloud Monitoring metrics to include or exclude. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics) and [here](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-types.md)."
-  default     = [] # [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
+  default     = [{ exclude = "all" }]
+  validation {
+    condition     = length(var.metrics_filter) == 0 || can(regex("^(include|exclude)$", var.metrics_filter[0].include)) || can(regex("^(include|exclude)$", var.metrics_filter[0].exclude))
+    error_message = "Invalid input for `metrics_filter`. Valid options for 'include' and 'exclude' are: `include` and `exclude`. If empty, no metrics are included or excluded."
+  }
 }
 
 variable "agent_tags" {
-  type        = list(string)
-  description = "List of tags to associate to all matrics that the agent collects. NOTE: Use the 'add_cluster_name' variable to add the cluster name as a tag."
-  default     = []
-  nullable    = false
-
-  validation {
-    condition     = alltrue([for tags in var.agent_tags : !can(regex("\\s", tags))])
-    error_message = "The cloud monitoring agent tags must not contain any spaces."
-  }
+  description = "Map of tags to associate to all matrics that the agent collects. NOTE: Use the 'add_cluster_name' variable to add the cluster name as a tag, e.g `ibm-containers-kubernetes-cluster-name: cluster_name`."
+  type        = map(string)
+  default     = {}
 }
 
 variable "add_cluster_name" {

solutions/fully-configurable/variables.tf

@@ -66,9 +66,9 @@ variable "access_key" {
 
 variable "access_key_secret" {
   type        = string
-  description = "The name of the secret which will store the access key."
-  default     = "sysdig-agent"
-  nullable    = false
+  description = "The name of a Kubernetes/Openshift secret containing an access-key entry."
+  default     = null
+  nullable    = true
 }
 
 variable "cloud_monitoring_instance_region" {
@@ -87,16 +87,22 @@ variable "cloud_monitoring_instance_endpoint_type" {
   }
 }
 
+variable "blacklisted_ports" {
+  type        = list(number)
+  description = "To blacklist ports, include the ports you wish to block network traffic and metrics from network ports. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports."
+  default     = []
+}
+
 variable "metrics_filter" {
   type = list(object({
-    type = string
-    name = string
+    include = optional(string)
+    exclude = optional(string)
   }))
   description = "To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics."
   default     = []
   validation {
-    condition     = alltrue([for filter in var.metrics_filter : can(regex("^(include|exclude)$", filter.type)) && filter.name != ""])
-    error_message = "The specified `type` for the `metrics_filter` is not valid. Specify either `include` or `exclude`. The `name` field cannot be empty."
+    condition     = length(var.metrics_filter) == 0 || can(regex("^(include|exclude)$", var.metrics_filter[0].include)) || can(regex("^(include|exclude)$", var.metrics_filter[0].exclude))
+    error_message = "Invalid input for `metrics_filter`. Valid options for 'include' and 'exclude' are: `include` and `exclude`. If empty, no metrics are included or excluded."
   }
 }
 
@@ -115,21 +121,15 @@ variable "container_filter" {
 }
 
 variable "agent_tags" {
-  type        = list(string)
-  description = "List of tags to associate to all matrics that the agent collects. NOTE: Use the 'add_cluster_name' variable to add the cluster name as a tag."
-  default     = []
-  nullable    = false
-
-  validation {
-    condition     = alltrue([for tags in var.agent_tags : !can(regex("\\s", tags))])
-    error_message = "The cloud monitoring agent tags must not contain any spaces."
-  }
+  description = "Map of tags to associate to all matrics that the agent collects. NOTE: Use the 'add_cluster_name' variable to add the cluster name as a tag, e.g `ibm-containers-kubernetes-cluster-name: cluster_name`."
+  type        = map(string)
+  default     = {}
 }
 
 variable "add_cluster_name" {
   type        = bool
   description = "If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data."
-  default     = true
+  default     = false
 }
 
 variable "name" {