diff --git a/.secrets.baseline b/.secrets.baseline
index 147f1608..f11d6f16 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2025-03-24T23:50:51Z",
+ "generated_at": "2025-07-14T16:52:00Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
"name": "TwilioKeyDetector"
}
],
- "results": {},
+ "results": {
+ "README.md": [
+ {
+ "hashed_secret": "3f0155e75563ab3adc0505000a86da5baa207d1f",
+ "is_secret": false,
+ "is_verified": false,
+ "line_number": 49,
+ "type": "Secret Keyword",
+ "verified_result": null
+ }
+ ]
+ },
"version": "0.13.1+ibm.62.dss",
"word_list": {
"file": null,
diff --git a/README.md b/README.md
index ee15007d..931df4e7 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Terraform IBM Monitoring agent module
+# IBM Cloud Monitoring and Workload Protection agent module
[-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
[](https://github.com/pre-commit/pre-commit)
@@ -6,17 +6,25 @@
[](https://renovatebot.com/)
[](https://github.com/semantic-release/semantic-release)
-This module deploys the following monitoring agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster:
+This module supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:
+- Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)
+- Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started)
-- [Monitoring agent](https://cloud.ibm.com/docs/monitoring?topic=monitoring-about-collect-metrics)
+## Key considerations
+- Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.
+- You can use the [terraform-ibm-cloud-monitoring](https://github.com/terraform-ibm-modules/terraform-ibm-cloud-monitoring) module to provision a new instance of IBM Cloud Monitoring
+- You can use the [terraform-ibm-scc-workload-protection](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection) module to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This module has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.
+- Both instances must be in the same region.
+- You can connect only one Monitoring instance to one Workload Protection instance.
+- Connections can only be established between two new instances or between one new and one existing instance.
## Overview
* [terraform-ibm-monitoring-agent](#terraform-ibm-monitoring-agent)
* [Examples](./examples)
- * [Monitoring agent on Kubernetes using CSE ingress endpoint with an apikey](./examples/obs-agent-iks)
- * [Monitoring agent](./examples/obs-agent-ocp)
+ * [Deploy agent in IKS cluster](./examples/obs-agent-iks)
+ * [Deploy agent in OpenShift cluster](./examples/obs-agent-ocp)
* [Contributing](#contributing)
@@ -25,22 +33,20 @@ This module deploys the following monitoring agent to an IBM Cloud Red Hat OpenS
### Usage
```hcl
-# ############################################################################
-# Init cluster config for helm
-# ############################################################################
+#############################################################################
+# Initialize cluster config for helm provider
+#############################################################################
data "ibm_container_cluster_config" "cluster_config" {
- # update this value with the Id of the cluster where these agent will be provisioned
- cluster_name_id = "cluster_id"
+ cluster_name_id = "REPLACE" # Replace with name of ID of cluster
}
-# ############################################################################
-# Config providers
-# ############################################################################
+#############################################################################
+# Configure providers
+#############################################################################
provider "ibm" {
- # update this value with your IBM Cloud API key value
- ibmcloud_api_key = "XXXXXXXXXXXXXXXXX" # pragma: allowlist secret
+ ibmcloud_api_key = "XXXXXXXXXXXXXXXXX" # Replace with IBM Cloud api key
}
provider "helm" {
@@ -51,18 +57,18 @@ provider "helm" {
}
}
-# ############################################################################
-# Install monitoring agents
-# ############################################################################
-
-module "monitoring_agents" {
- source = "terraform-ibm-modules/monitoring-agent/ibm"
- version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
- is_vpc_cluster = true # Change to false if target cluster is running on classic infrastructure
- cluster_id = "cluster id" # update this with your cluster id where the agent will be installed
- cluster_resource_group_id = "resource group id" # update this with the Id of your IBM Cloud resource group
- access_key = "XXXXXXXX"
- cloud_monitoring_instance_region = "us-south"
+#############################################################################
+# Install agent
+#############################################################################
+
+module "monitoring_agent" {
+ source = "terraform-ibm-modules/monitoring-agent/ibm"
+ version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
+ is_vpc_cluster = true # Change to false if target cluster is running on classic infrastructure
+ cluster_id = "REPLACE"
+ cluster_resource_group_id = "REPLACE"
+ access_key = "XXXXXXXX"
+ instance_region = "us-south" # enter region of Cloud Monitoring / SCC-WP instance
}
```
@@ -83,7 +89,7 @@ You need the following permissions to run this module.
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.9.0 |
| [helm](#requirement\_helm) | >= 2.15.0, <3.0.0 |
-| [ibm](#requirement\_ibm) | >= 1.79.0, <2.0.0 |
+| [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 |
### Modules
@@ -102,37 +108,48 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [access\_key](#input\_access\_key) | Access key used by the IBM Cloud Monitoring agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored on a new secret on the cluster if passed. | `string` | `null` | no |
-| [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
-| [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the Cloud Monitoring agent image from. | `string` | `"agent-slim"` | no |
-| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent. | `string` | `"14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570"` | no |
-| [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specifies the CPU limit for the agent. | `string` | `"1"` | no |
-| [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specifies the memory limit for the agent. | `string` | `"1024Mi"` | no |
-| [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specifies the CPU requested to run in a node for the agent. | `string` | `"1"` | no |
-| [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specifies the memory requested to run in a node for the agent. | `string` | `"1024Mi"` | no |
-| [agent\_tags](#input\_agent\_tags) | Map of tags to associate to all metrics that the agent collects. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag, e.g `{'environment': 'production'}.` | `map(string)` | `{}` | no |
-| [blacklisted\_ports](#input\_blacklisted\_ports) | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports). | `list(number)` | `[]` | no |
-| [chart](#input\_chart) | The name of the Helm chart to deploy. | `string` | `"sysdig-deploy"` | no |
-| [chart\_location](#input\_chart\_location) | The location of the Cloud Monitoring agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
-| [chart\_version](#input\_chart\_version) | The version of the Cloud Monitoring agent helm chart to deploy. | `string` | `"1.89.1"` | no |
-| [cloud\_monitoring\_instance\_endpoint\_type](#input\_cloud\_monitoring\_instance\_endpoint\_type) | Specify the IBM Cloud Monitoring instance endpoint type (public or private) to use. Used to construct the ingestion endpoint. | `string` | `"private"` | no |
-| [cloud\_monitoring\_instance\_region](#input\_cloud\_monitoring\_instance\_region) | The IBM Cloud Monitoring instance region. Used to construct the ingestion endpoint. | `string` | n/a | yes |
+| [access\_key](#input\_access\_key) | Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. | `string` | `null` | no |
+| [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
+| [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the agent image from. | `string` | `"agent-slim"` | no |
+| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570"` | no |
+| [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
+| [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no |
+| [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specify CPU resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
+| [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specify memory resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no |
+| [agent\_tags](#input\_agent\_tags) | Map of tags to associate to the agent. For example, {"environment": "production"}. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag. | `map(string)` | `{}` | no |
+| [blacklisted\_ports](#input\_blacklisted\_ports) | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports | `list(number)` | `[]` | no |
+| [chart](#input\_chart) | The name of the Helm chart to deploy. Use `chart_location` to specify helm chart location. | `string` | `"sysdig-deploy"` | no |
+| [chart\_location](#input\_chart\_location) | The location of the agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
+| [chart\_version](#input\_chart\_version) | The version of the agent helm chart to deploy. | `string` | `"1.89.1"` | no |
| [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
-| [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in | `string` | n/a | yes |
-| [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The Resource Group ID of the cluster | `string` | n/a | yes |
-| [container\_filter](#input\_container\_filter) | To filter custom containers, specify which containers to include or exclude from metrics collection for the cloud monitoring agent. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data. |
list(object({ type = string parameter = string name = string }))
| `[]` | no |
-| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md). | `bool` | `true` | no |
-| [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using the Sysdig Agent `access_key`. Specify the name of a Kubernetes secret containing an access-key entry. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
-| [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc. | `string` | `"icr.io"` | no |
-| [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull the Cloud Monitoring agent images from. | `string` | `"ext/sysdig"` | no |
-| [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster for the monitoring agent is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
-| [kernal\_module\_image\_repository](#input\_kernal\_module\_image\_repository) | The image repository to pull the Cloud Monitoring agent kernal module initContainer image from. | `string` | `"agent-kmodule"` | no |
-| [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent kernel module used by the initContainer. | `string` | `"14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68"` | no |
-| [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics. |
list(object({ include = optional(string) exclude = optional(string) }))
| `[]` | no |
-| [name](#input\_name) | Cloud Monitoring agent name. Used for naming all kubernetes and helm resources on the cluster. | `string` | `"sysdig-agent"` | no |
-| [namespace](#input\_namespace) | Namespace where to deploy the Cloud Monitoring agent. Default value is 'ibm-observe' | `string` | `"ibm-observe"` | no |
-| [tolerations](#input\_tolerations) | List of tolerations to apply to Cloud Monitoring agent. |
| no |
-| [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal` | `string` | `"Normal"` | no |
+| [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in. | `string` | n/a | yes |
+| [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
+| [cluster\_shield\_deploy](#input\_cluster\_shield\_deploy) | Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm. | `bool` | `true` | no |
+| [cluster\_shield\_image\_repository](#input\_cluster\_shield\_image\_repository) | The image repository to pull the Cluster Shield image from. | `string` | `"cluster-shield"` | no |
+| [cluster\_shield\_image\_tag\_digest](#input\_cluster\_shield\_image\_tag\_digest) | The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"1.13.0@sha256:0c8ee65a473e51b2a2c7bddf4e89008299cf203c50cd80fd97503cb121c1230a"` | no |
+| [cluster\_shield\_limits\_cpu](#input\_cluster\_shield\_limits\_cpu) | Specify CPU resource limits for the cluster shield pods. | `string` | `"1500m"` | no |
+| [cluster\_shield\_limits\_memory](#input\_cluster\_shield\_limits\_memory) | Specify memory resource limits for the cluster shield pods. | `string` | `"1536Mi"` | no |
+| [cluster\_shield\_requests\_cpu](#input\_cluster\_shield\_requests\_cpu) | Specify CPU resource requests for the cluster shield pods. | `string` | `"500m"` | no |
+| [cluster\_shield\_requests\_memory](#input\_cluster\_shield\_requests\_memory) | Specify memory resource requests for the cluster shield pods. | `string` | `"512Mi"` | no |
+| [container\_filter](#input\_container\_filter) | Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data |
list(object({ type = string parameter = string name = string }))
| `[]` | no |
+| [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
+| [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
+| [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
+| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf | `bool` | `true` | no |
+| [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
+| [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull all images from. For example `icr.io` or `quay.io`. | `string` | `"icr.io"` | no |
+| [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
+| [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes |
+| [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
+| [kernal\_module\_image\_repository](#input\_kernal\_module\_image\_repository) | The image repository to pull the agent kernal module initContainer image from. | `string` | `"agent-kmodule"` | no |
+| [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image tag or digest to use for the agent kernel module used by the initContainer. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68"` | no |
+| [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics |
list(object({ include = optional(string) exclude = optional(string) }))
| `[]` | no |
+| [name](#input\_name) | The name to give the agent helm release. | `string` | `"sysdig-agent"` | no |
+| [namespace](#input\_namespace) | Namespace to deploy the agent to. | `string` | `"ibm-observe"` | no |
+| [tolerations](#input\_tolerations) | List of tolerations to apply to the agent. |
| no |
+| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. | `bool` | `true` | no |
+| [use\_scc\_wp\_endpoint](#input\_use\_scc\_wp\_endpoint) | By default an IBM Cloud Monitoring endpoint is used and is constructed from the `instance_region` and `use_private_endpoint` inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. | `bool` | `false` | no |
+| [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported values are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal` | `string` | `"Normal"` | no |
| [wait\_till\_timeout](#input\_wait\_till\_timeout) | Timeout for wait\_till in minutes. | `number` | `90` | no |
### Outputs
diff --git a/examples/obs-agent-iks/README.md b/examples/obs-agent-iks/README.md
index 66baa8c3..4534d64d 100644
--- a/examples/obs-agent-iks/README.md
+++ b/examples/obs-agent-iks/README.md
@@ -1,10 +1,12 @@
-# Monitoring agent on Kubernetes using CSE ingress endpoint with an apikey
+# Deploy agent in IKS cluster
-An example that shows how to deploy a Monitoring agent in a Kubernetes cluster to send Logs directly to IBM a Cloud Monitoring instance.
+An example that shows how to deploy the agent in an IKS cluster.
+
+The following resources are provisioned:
-The example provisions the following resources:
- A new resource group, if an existing one is not passed in.
- A basic VPC (if `is_vpc_cluster` is true).
- A Kubernetes cluster.
-- An IBM Cloud Monitoring instance
-- Monitoring agent
+- An IBM Cloud Monitoring instance.
+- An SCC Workload Protection instance.
+- The Monitoring and Workload Protection agent.
diff --git a/examples/obs-agent-iks/main.tf b/examples/obs-agent-iks/main.tf
index 625987d4..d37595a5 100644
--- a/examples/obs-agent-iks/main.tf
+++ b/examples/obs-agent-iks/main.tf
@@ -10,71 +10,89 @@ module "resource_group" {
existing_resource_group_name = var.resource_group
}
-########################################################################################################################
-# VPC + Subnet + Public Gateway
-#
-# NOTE: This is a very simple VPC with single subnet in a single zone with a public gateway enabled, that will allow
-# all traffic ingress/egress by default.
-# For production use cases this would need to be enhanced by adding more subnets and zones for resiliency, and
-# ACLs/Security Groups for network security.
-########################################################################################################################
-
-resource "ibm_is_vpc" "vpc" {
- name = "${var.prefix}-vpc"
- resource_group = module.resource_group.resource_group_id
- address_prefix_management = "auto"
- tags = var.resource_tags
+##############################################################################
+# Create VPC and IKS Cluster
+##############################################################################
+
+resource "ibm_is_vpc" "example_vpc" {
+ count = var.is_vpc_cluster ? 1 : 0
+ name = "${var.prefix}-vpc"
+ resource_group = module.resource_group.resource_group_id
+ tags = var.resource_tags
}
-resource "ibm_is_subnet" "subnet_zone_1" {
- name = "${var.prefix}-subnet-1"
- vpc = ibm_is_vpc.vpc.id
- resource_group = module.resource_group.resource_group_id
+resource "ibm_is_subnet" "testacc_subnet" {
+ count = var.is_vpc_cluster ? 1 : 0
+ name = "${var.prefix}-subnet"
+ vpc = ibm_is_vpc.example_vpc[0].id
zone = "${var.region}-1"
total_ipv4_address_count = 256
+ resource_group = module.resource_group.resource_group_id
}
-########################################################################################################################
-# OCP VPC cluster (single zone)
-########################################################################################################################
-
+# Lookup the current default kube version
+data "ibm_container_cluster_versions" "cluster_versions" {}
locals {
- cluster_vpc_subnets = {
- default = [
- {
- id = ibm_is_subnet.subnet_zone_1.id
- cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
- zone = ibm_is_subnet.subnet_zone_1.zone
- }
- ]
- }
+ default_version = data.ibm_container_cluster_versions.cluster_versions.default_kube_version
+}
- worker_pools = [
- {
- subnet_prefix = "default"
- pool_name = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
- machine_type = "bx2.4x16"
- operating_system = "REDHAT_8_64"
- workers_per_zone = 2 # minimum of 2 is allowed when using single zone
- }
- ]
+resource "ibm_container_vpc_cluster" "cluster" {
+ count = var.is_vpc_cluster ? 1 : 0
+ name = var.prefix
+ vpc_id = ibm_is_vpc.example_vpc[0].id
+ kube_version = local.default_version
+ flavor = "bx2.4x16"
+ worker_count = "2"
+ force_delete_storage = true
+ wait_till = "IngressReady"
+ zones {
+ subnet_id = ibm_is_subnet.testacc_subnet[0].id
+ name = "${var.region}-1"
+ }
+ resource_group_id = module.resource_group.resource_group_id
+ tags = var.resource_tags
}
-module "ocp_base" {
- source = "terraform-ibm-modules/base-ocp-vpc/ibm"
- version = "3.52.0"
+resource "ibm_container_cluster" "cluster" {
+ #checkov:skip=CKV2_IBM_7:Public endpoint is required for testing purposes
+ count = var.is_vpc_cluster ? 0 : 1
+ name = var.prefix
+ datacenter = var.datacenter
+ default_pool_size = 2
+ hardware = "shared"
+ kube_version = local.default_version
+ force_delete_storage = true
+ machine_type = "b3c.4x16"
+ public_vlan_id = ibm_network_vlan.public_vlan[0].id
+ private_vlan_id = ibm_network_vlan.private_vlan[0].id
+ wait_till = "Normal"
resource_group_id = module.resource_group.resource_group_id
- region = var.region
tags = var.resource_tags
- cluster_name = var.prefix
- force_delete_storage = true
- vpc_id = ibm_is_vpc.vpc.id
- vpc_subnets = local.cluster_vpc_subnets
- worker_pools = local.worker_pools
+
+ timeouts {
+ delete = "2h"
+ create = "3h"
+ }
+}
+
+locals {
+ cluster_name_id = var.is_vpc_cluster ? ibm_container_vpc_cluster.cluster[0].id : ibm_container_cluster.cluster[0].id
+}
+
+resource "ibm_network_vlan" "public_vlan" {
+ count = var.is_vpc_cluster ? 0 : 1
+ datacenter = var.datacenter
+ type = "PUBLIC"
+}
+
+resource "ibm_network_vlan" "private_vlan" {
+ count = var.is_vpc_cluster ? 0 : 1
+ datacenter = var.datacenter
+ type = "PRIVATE"
}
data "ibm_container_cluster_config" "cluster_config" {
- cluster_name_id = module.ocp_base.cluster_id
+ cluster_name_id = local.cluster_name_id
resource_group_id = module.resource_group.resource_group_id
}
@@ -85,17 +103,32 @@ resource "time_sleep" "wait_operators" {
}
##############################################################################
-# Monitoring Instance
+# Monitoring instance
##############################################################################
module "cloud_monitoring" {
- source = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
- version = "3.5.3"
- instance_name = "${var.prefix}-cloud-monitoring"
- resource_group_id = module.resource_group.resource_group_id
- region = var.region
- plan = "graduated-tier"
- enable_platform_metrics = var.enable_platform_metrics
+ source = "terraform-ibm-modules/cloud-monitoring/ibm"
+ version = "1.3.0"
+ instance_name = "${var.prefix}-cloud-monitoring"
+ resource_group_id = module.resource_group.resource_group_id
+ resource_tags = var.resource_tags
+ region = var.region
+ plan = "graduated-tier"
+}
+
+##############################################################################
+# SCC Workload Protection instance
+##############################################################################
+
+module "scc_wp" {
+ source = "terraform-ibm-modules/scc-workload-protection/ibm"
+ version = "1.10.3"
+ name = "${var.prefix}-scc-wp"
+ resource_group_id = module.resource_group.resource_group_id
+ region = var.region
+ resource_tags = var.resource_tags
+ cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+ cspm_enabled = false
}
##############################################################################
@@ -103,12 +136,13 @@ module "cloud_monitoring" {
##############################################################################
module "monitoring_agents" {
- source = "../.."
- depends_on = [time_sleep.wait_operators]
- cluster_id = module.ocp_base.cluster_id
+ source = "../.."
+ # remove the above line and uncomment the below 2 lines to consume the module from the registry
+ # source = "terraform-ibm-modules/monitoring-agent/ibm"
+ # version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
+ cluster_id = local.cluster_name_id
cluster_resource_group_id = module.resource_group.resource_group_id
- # # Monitoring agent
- access_key = module.cloud_monitoring.access_key
- cloud_monitoring_instance_region = var.region
- enable_universal_ebpf = true
+ is_vpc_cluster = var.is_vpc_cluster
+ access_key = module.cloud_monitoring.access_key
+ instance_region = var.region
}
diff --git a/examples/obs-agent-iks/provider.tf b/examples/obs-agent-iks/provider.tf
index 13202b7c..a5fc539e 100644
--- a/examples/obs-agent-iks/provider.tf
+++ b/examples/obs-agent-iks/provider.tf
@@ -16,3 +16,13 @@ provider "kubernetes" {
token = data.ibm_container_cluster_config.cluster_config.token
cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
}
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+provider "restapi" {
+ uri = "https://resource-controller.cloud.ibm.com"
+ headers = {
+ Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
+ }
+ write_returns_object = true
+}
diff --git a/examples/obs-agent-iks/variables.tf b/examples/obs-agent-iks/variables.tf
index 8cbcb21b..0f42a3c5 100644
--- a/examples/obs-agent-iks/variables.tf
+++ b/examples/obs-agent-iks/variables.tf
@@ -28,8 +28,14 @@ variable "region" {
default = "au-syd"
}
-variable "enable_platform_metrics" {
+variable "is_vpc_cluster" {
type = bool
- description = "Enable platform metrics"
- default = false
+ description = "Specify true if the target cluster for the observability agents is a VPC cluster, false if it is classic cluster."
+ default = true
+}
+
+variable "datacenter" {
+ type = string
+ description = "If creating a classic cluster, the data center where the cluster is created"
+ default = "syd01"
}
diff --git a/examples/obs-agent-iks/version.tf b/examples/obs-agent-iks/version.tf
index 4e0bbcea..91eea4c2 100644
--- a/examples/obs-agent-iks/version.tf
+++ b/examples/obs-agent-iks/version.tf
@@ -6,7 +6,7 @@ terraform {
required_providers {
ibm = {
source = "ibm-cloud/ibm"
- version = "1.79.0"
+ version = "1.79.2"
}
helm = {
source = "hashicorp/helm"
@@ -22,5 +22,10 @@ terraform {
source = "hashicorp/time"
version = ">= 0.9.1"
}
+ # The restapi provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
+ restapi = {
+ source = "Mastercard/restapi"
+ version = ">= 2.0.1"
+ }
}
}
diff --git a/examples/obs-agent-ocp/.secrets.baseline b/examples/obs-agent-ocp/.secrets.baseline
new file mode 100644
index 00000000..d7b7b1c0
--- /dev/null
+++ b/examples/obs-agent-ocp/.secrets.baseline
@@ -0,0 +1,85 @@
+{
+ "exclude": {
+ "files": "^.secrets.baseline$",
+ "lines": null
+ },
+ "generated_at": "2025-07-14T16:51:43Z",
+ "plugins_used": [
+ {
+ "name": "AWSKeyDetector"
+ },
+ {
+ "name": "ArtifactoryDetector"
+ },
+ {
+ "name": "AzureStorageKeyDetector"
+ },
+ {
+ "base64_limit": 4.5,
+ "name": "Base64HighEntropyString"
+ },
+ {
+ "name": "BasicAuthDetector"
+ },
+ {
+ "name": "BoxDetector"
+ },
+ {
+ "name": "CloudantDetector"
+ },
+ {
+ "ghe_instance": "github.ibm.com",
+ "name": "GheDetector"
+ },
+ {
+ "name": "GitHubTokenDetector"
+ },
+ {
+ "hex_limit": 3,
+ "name": "HexHighEntropyString"
+ },
+ {
+ "name": "IbmCloudIamDetector"
+ },
+ {
+ "name": "IbmCosHmacDetector"
+ },
+ {
+ "name": "JwtTokenDetector"
+ },
+ {
+ "keyword_exclude": null,
+ "name": "KeywordDetector"
+ },
+ {
+ "name": "MailchimpDetector"
+ },
+ {
+ "name": "NpmDetector"
+ },
+ {
+ "name": "PrivateKeyDetector"
+ },
+ {
+ "name": "SlackDetector"
+ },
+ {
+ "name": "SoftlayerDetector"
+ },
+ {
+ "name": "SquareOAuthDetector"
+ },
+ {
+ "name": "StripeDetector"
+ },
+ {
+ "name": "TwilioKeyDetector"
+ }
+ ],
+ "results": {},
+ "version": "0.13.1+ibm.62.dss",
+ "word_list": {
+ "file": null,
+ "hash": null
+ }
+}
diff --git a/examples/obs-agent-ocp/README.md b/examples/obs-agent-ocp/README.md
index 1c29c3aa..2da95791 100644
--- a/examples/obs-agent-ocp/README.md
+++ b/examples/obs-agent-ocp/README.md
@@ -1,11 +1,12 @@
-# Monitoring agent
+# Deploy agent in OpenShift cluster
-An example that shows how to deploy Monitoring agent in an Red Hat OpenShift container platform cluster to send Logs directly to a Cloud Monitoring instance.
+An example that shows how to deploy the agent in an Red Hat OpenShift container platform cluster.
-The example provisions the following resources:
+The following resources are provisioned:
- A new resource group, if an existing one is not passed in.
- A basic VPC.
- A Red Hat OpenShift Container Platform VPC cluster.
- An IBM Cloud Monitoring instance.
-- Monitoring agent
+- An SCC Workload Protection instance.
+- The Monitoring and Workload Protection agent.
diff --git a/examples/obs-agent-ocp/main.tf b/examples/obs-agent-ocp/main.tf
index 4e060f76..8c142fd0 100644
--- a/examples/obs-agent-ocp/main.tf
+++ b/examples/obs-agent-ocp/main.tf
@@ -26,12 +26,21 @@ resource "ibm_is_vpc" "vpc" {
tags = var.resource_tags
}
+# Public gateway required when deploying a cluster with public endpoint enabled otherwise ingress goes into degraded state
+resource "ibm_is_public_gateway" "gateway" {
+ name = "${var.prefix}-gateway-1"
+ vpc = ibm_is_vpc.vpc.id
+ resource_group = module.resource_group.resource_group_id
+ zone = "${var.region}-1"
+}
+
resource "ibm_is_subnet" "subnet_zone_1" {
name = "${var.prefix}-subnet-1"
vpc = ibm_is_vpc.vpc.id
resource_group = module.resource_group.resource_group_id
zone = "${var.region}-1"
total_ipv4_address_count = 256
+ public_gateway = ibm_is_public_gateway.gateway.id
}
########################################################################################################################
@@ -70,7 +79,6 @@ module "ocp_base" {
force_delete_storage = true
vpc_id = ibm_is_vpc.vpc.id
vpc_subnets = local.cluster_vpc_subnets
- ocp_version = var.ocp_version
worker_pools = local.worker_pools
access_tags = var.access_tags
ocp_entitlement = var.ocp_entitlement
@@ -82,17 +90,32 @@ data "ibm_container_cluster_config" "cluster_config" {
}
##############################################################################
-# Monitoring Instance
+# Monitoring instance
##############################################################################
module "cloud_monitoring" {
- source = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
- version = "3.5.3"
- instance_name = "${var.prefix}-cloud-monitoring"
- resource_group_id = module.resource_group.resource_group_id
- region = var.region
- plan = "graduated-tier"
- enable_platform_metrics = var.enable_platform_metrics
+ source = "terraform-ibm-modules/cloud-monitoring/ibm"
+ version = "1.3.0"
+ instance_name = "${var.prefix}-cloud-monitoring"
+ resource_group_id = module.resource_group.resource_group_id
+ resource_tags = var.resource_tags
+ region = var.region
+ plan = "graduated-tier"
+}
+
+##############################################################################
+# SCC Workload Protection instance
+##############################################################################
+
+module "scc_wp" {
+ source = "terraform-ibm-modules/scc-workload-protection/ibm"
+ version = "1.10.3"
+ name = "${var.prefix}-scc-wp"
+ resource_group_id = module.resource_group.resource_group_id
+ region = var.region
+ resource_tags = var.resource_tags
+ cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+ cspm_enabled = false
}
##############################################################################
@@ -100,15 +123,21 @@ module "cloud_monitoring" {
##############################################################################
module "monitoring_agents" {
- source = "../.."
+ source = "../.."
+ # remove the above line and uncomment the below 2 lines to consume the module from the registry
+ # source = "terraform-ibm-modules/monitoring-agent/ibm"
+ # version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
cluster_id = module.ocp_base.cluster_id
cluster_resource_group_id = module.resource_group.resource_group_id
- # Monitoring agent
- access_key = module.cloud_monitoring.access_key
- cloud_monitoring_instance_region = var.region
+ is_vpc_cluster = true
+ access_key = module.cloud_monitoring.access_key
+ instance_region = var.region
# example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
- metrics_filter = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
- container_filter = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
- blacklisted_ports = [22, 2379, 3306]
- enable_universal_ebpf = true
+ metrics_filter = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+ # example of how to include / exclude container filter - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data
+ container_filter = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+ # example of how to include / exclude container filter - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports
+ blacklisted_ports = [22, 2379, 3306]
+ # example of adding agent tag
+ agent_tags = { "environment" : "test", "custom" : "value" }
}
diff --git a/examples/obs-agent-ocp/provider.tf b/examples/obs-agent-ocp/provider.tf
index 13202b7c..a5fc539e 100644
--- a/examples/obs-agent-ocp/provider.tf
+++ b/examples/obs-agent-ocp/provider.tf
@@ -16,3 +16,13 @@ provider "kubernetes" {
token = data.ibm_container_cluster_config.cluster_config.token
cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
}
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+provider "restapi" {
+ uri = "https://resource-controller.cloud.ibm.com"
+ headers = {
+ Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
+ }
+ write_returns_object = true
+}
diff --git a/examples/obs-agent-ocp/variables.tf b/examples/obs-agent-ocp/variables.tf
index d98d746e..f1d248fc 100644
--- a/examples/obs-agent-ocp/variables.tf
+++ b/examples/obs-agent-ocp/variables.tf
@@ -34,20 +34,8 @@ variable "region" {
default = "us-south"
}
-variable "ocp_version" {
- type = string
- description = "Version of the OCP cluster to provision"
- default = null
-}
-
variable "ocp_entitlement" {
type = string
description = "Value that is applied to the entitlements for OCP cluster provisioning"
default = null
}
-
-variable "enable_platform_metrics" {
- type = bool
- description = "Enable platform metrics"
- default = false
-}
diff --git a/examples/obs-agent-ocp/version.tf b/examples/obs-agent-ocp/version.tf
index 4e8ded7d..6ae2c910 100644
--- a/examples/obs-agent-ocp/version.tf
+++ b/examples/obs-agent-ocp/version.tf
@@ -1,12 +1,12 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
# Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
- # module's version.tf (obs-agent-iks), and 1 example that will always use the latest provider version (this exammple).
+ # module's version.tf (obs-agent-iks), and 1 example that will always use the latest provider version (this example).
required_providers {
ibm = {
source = "ibm-cloud/ibm"
- version = ">= 1.79.0"
+ version = ">= 1.79.2"
}
helm = {
source = "hashicorp/helm"
@@ -16,5 +16,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.16.1"
}
+ restapi = {
+ source = "Mastercard/restapi"
+ version = ">= 2.0.1"
+ }
}
}
diff --git a/ibm_catalog.json b/ibm_catalog.json
index e832b14d..3cda164b 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -1,7 +1,7 @@
{
"products": [
{
- "label": "Cloud automation for Monitoring agent",
+ "label": "Cloud automation for Monitoring and Workload Protection agent",
"name": "deploy-arch-ibm-monitoring-agent",
"product_kind": "solution",
"tags": [
@@ -11,6 +11,7 @@
"solution",
"logging",
"logging_monitoring",
+ "security",
"converged_infra"
],
"keywords": [
@@ -22,8 +23,8 @@
"solution"
],
"provider_name": "IBM",
- "short_description": "Deploys IBM Monitoring Agent to a cluster",
- "long_description": "Solution that supports deploying an IBM Monitoring Agent to a cluster. The agent facilitates [IBM Cloud Monitoring](https://www.ibm.com/products/cloud-monitoring) in gaining operational visibility into the performance and health of your applications, services, and platforms.",
+ "short_description": "Deploys an agent to monitor metrics and security data on an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster",
+ "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:
Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)
Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).
Key considerations
Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.
You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring
You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.
Both instances must be in the same region.
You can connect only one Monitoring instance to one Workload Protection instance.
Connections can only be established between two new instances or between one new and one existing instance.
This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/main/images/monitoring-icon.svg",
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues). Please note this product is not supported via the IBM Cloud Support Center.",
@@ -45,22 +46,46 @@
"architecture": {
"features": [
{
- "title": "Works with any Openshift or k8s cluster",
- "description": "Yes"
+ "title": "System Metrics Collection",
+ "description": "Collects data on CPU, memory, disk, and network usage from hosts and virtual machines."
},
{
- "title": "Deploys the IBM Monitoring Agent on an existing cluster.",
- "description": "Yes"
+ "title": "Container & Kubernetes Monitoring",
+ "description": "Tracks performance and resource usage of containers, pods, and Kubernetes clusters."
+ },
+ {
+ "title": "Process & Service Monitoring",
+ "description": "Monitors running processes and system services, providing visibility into their resource consumption."
+ },
+ {
+ "title": "Custom Metrics Support",
+ "description": "Allows you to publish your own application metrics for monitoring and alerting."
+ },
+ {
+ "title": "Vulnerability Scanning",
+ "description": "Allows you to publish your own application metrics for monitoring and alerting."
+ },
+ {
+ "title": "Runtime Protection",
+ "description": "Detects and blocks suspicious processes or behavior at runtime."
+ },
+ {
+ "title": "Compliance Monitoring",
+ "description": "Checks workloads against compliance standards (e.g., CIS Benchmarks) and reports violations."
+ },
+ {
+ "title": "Threat Detection & Alerts",
+ "description": "Provides real-time alerts on suspicious activities and policy violations."
}
],
"diagrams": [
{
"diagram": {
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/refs/heads/main/reference-architecture/deployable-architecture-monitoring-agent.svg",
- "caption": "Monitoring Agent on a cluster",
+ "caption": "Configure agent on a cluster to monitor metrics and security data",
"type": "image/svg+xml"
},
- "description": "Monitoring Agent deployed on a cluster."
+ "description": "Configure agent on a cluster to monitor metrics and security data"
}
]
},
@@ -70,6 +95,7 @@
"required": true
},
{
+ "display_name": "cluster",
"key": "cluster_id",
"custom_config": {
"type": "cluster_var",
@@ -79,6 +105,7 @@
"required": true
},
{
+ "display_name": "resource_group",
"key": "cluster_resource_group_id",
"custom_config": {
"type": "resource_group",
@@ -95,31 +122,47 @@
"required": true
},
{
- "key": "cloud_monitoring_instance_region",
+ "key": "instance_region",
"required": true,
"options": [
{
- "displayname": "eu-gb",
+ "displayname": "London (eu-gb)",
"value": "eu-gb"
},
{
- "displayname": "eu-de",
+ "displayname": "Frankfurt (eu-de)",
"value": "eu-de"
},
{
- "displayname": "us-east",
+ "displayname": "Madrid (eu-es)",
+ "value": "eu-es"
+ },
+ {
+ "displayname": "Washington (us-east)",
"value": "us-east"
},
{
- "displayname": "us-south",
+ "displayname": "Dallas (us-south)",
"value": "us-south"
},
{
- "displayname": "jp-tok",
+ "displayname": "Tokyo (jp-tok)",
"value": "jp-tok"
},
{
- "displayname": "au-syd",
+ "displayname": "Osaka (jp-osa)",
+ "value": "jp-osa"
+ },
+ {
+ "displayname": "Sao Paulo (br-sao)",
+ "value": "br-sao"
+ },
+ {
+ "displayname": "Toronto (ca-tor)",
+ "value": "ca-tor"
+ },
+ {
+ "displayname": "Sydney (au-syd)",
"value": "au-syd"
}
]
@@ -128,6 +171,36 @@
"key": "is_vpc_cluster",
"required": true
},
+ {
+ "key": "cluster_shield_deploy",
+ "required": true
+ },
+ {
+ "key": "enable_host_scanner",
+ "required": true
+ },
+ {
+ "key": "enable_kspm_analyzer",
+ "required": true
+ },
+ {
+ "key": "use_private_endpoint"
+ },
+ {
+ "key": "chart"
+ },
+ {
+ "key": "chart_location"
+ },
+ {
+ "key": "chart_version"
+ },
+ {
+ "key": "name"
+ },
+ {
+ "key": "namespace"
+ },
{
"key": "image_registry_base_url"
},
@@ -141,25 +214,28 @@
"key": "agent_image_tag_digest"
},
{
- "key": "kernal_module_image_repository"
+ "key": "cluster_shield_image_repository"
},
{
- "key": "kernel_module_image_tag_digest"
+ "key": "cluster_shield_image_tag_digest"
},
{
- "key": "chart"
+ "key": "cluster_shield_limits_cpu"
},
{
- "key": "chart_location"
+ "key": "cluster_shield_limits_memory"
},
{
- "key": "chart_version"
+ "key": "cluster_shield_requests_cpu"
+ },
+ {
+ "key": "cluster_shield_requests_memory"
},
{
- "key": "name"
+ "key": "kernal_module_image_repository"
},
{
- "key": "namespace"
+ "key": "kernel_module_image_tag_digest"
},
{
"key": "existing_access_key_secret_name"
@@ -170,6 +246,9 @@
{
"key": "agent_tags"
},
+ {
+ "key": "deployment_tag"
+ },
{
"key": "agent_requests_cpu"
},
@@ -192,23 +271,26 @@
}
},
{
- "key": "cloud_monitoring_instance_endpoint_type",
- "options": [
- {
- "displayname": "public",
- "value": "public"
- },
- {
- "displayname": "private",
- "value": "private"
+ "key": "blacklisted_ports",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
}
- ]
+ }
},
{
- "key": "blacklisted_ports"
+ "key": "metrics_filter",
+ "type": "array",
+ "custom_config": {
+ "type": "textarea",
+ "grouping": "deployment",
+ "original_grouping": "deployment"
+ }
},
{
- "key": "metrics_filter",
+ "key": "container_filter",
"type": "array",
"custom_config": {
"type": "textarea",
diff --git a/main.tf b/main.tf
index 5e292074..c7fa79f2 100644
--- a/main.tf
+++ b/main.tf
@@ -28,9 +28,14 @@ data "ibm_container_cluster_config" "cluster_config" {
}
locals {
- # LOCALS
- cluster_name = var.is_vpc_cluster ? data.ibm_container_vpc_cluster.cluster[0].resource_name : data.ibm_container_cluster.cluster[0].resource_name # Not publically documented in provider. See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4485
- collector_host = var.cloud_monitoring_instance_endpoint_type == "private" ? "ingest.private.${var.cloud_monitoring_instance_region}.monitoring.cloud.ibm.com" : "ingest.${var.cloud_monitoring_instance_region}.monitoring.cloud.ibm.com"
+ cluster_name = var.is_vpc_cluster ? data.ibm_container_vpc_cluster.cluster[0].resource_name : data.ibm_container_cluster.cluster[0].resource_name # Not publicly documented in provider. See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4485
+ use_container_filter = length(var.container_filter) < 0 || var.container_filter == null ? false : true
+ # construct ingestion and api endpoints based on inputs
+ monitoring_api_endpoint = "${var.instance_region}.monitoring.cloud.ibm.com"
+ scc_wp_api_endpoint = "${var.instance_region}.security-compliance-secure.cloud.ibm.com"
+ base_endpoint = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
+ ingestion_endpoint = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
+ api_host = replace(local.ingestion_endpoint, "ingest.", "")
}
resource "helm_release" "cloud_monitoring_agent" {
@@ -46,24 +51,22 @@ resource "helm_release" "cloud_monitoring_agent" {
force_update = true
reset_values = true
+ # Values
set {
- name = "agent.collectorSettings.collectorHost"
- type = "string"
- value = local.collector_host
- }
- set {
- name = "agent.slim.image.repository"
+ name = "Values.image.repository"
type = "string"
- value = var.agent_image_repository
+ value = var.image_registry_base_url
}
+
+ # Global
set {
- name = "agent.slim.kmoduleImage.repository"
+ name = "global.imageRegistry"
type = "string"
- value = var.kernal_module_image_repository
+ value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
}
set {
- name = "agent.slim.enabled"
- value = true
+ name = "global.sysdig.apiHost"
+ value = local.api_host
}
dynamic "set_sensitive" {
for_each = var.access_key != null && var.access_key != "" ? [1] : []
@@ -87,86 +90,180 @@ resource "helm_release" "cloud_monitoring_agent" {
value = local.cluster_name
}
set {
- name = "agent.image.registry"
+ name = "global.sysdig.tags.deployment"
type = "string"
- value = var.image_registry_base_url
+ value = var.deployment_tag
}
set {
- name = "Values.image.repository"
+ name = "global.sysdig.tags.ibm-containers-kubernetes-cluster-name"
type = "string"
- value = var.image_registry_base_url
+ value = var.add_cluster_name ? local.cluster_name : null
+ }
+ dynamic "set" {
+ for_each = var.agent_tags
+ content {
+ name = "global.sysdig.tags.${set.key}"
+ value = set.value
+ }
+ }
+
+ # Cluster shield
+ set {
+ name = "clusterShield.enabled"
+ value = var.cluster_shield_deploy
}
set {
- name = "global.imageRegistry"
- type = "string"
- value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
+ name = "clusterShield.image.repository"
+ value = var.cluster_shield_image_repository
+ }
+ set {
+ name = "clusterShield.image.tag"
+ value = var.cluster_shield_image_tag_digest
}
set {
- name = "agent.image.tag"
+ name = "clusterShield.resources.requests.cpu"
type = "string"
- value = var.agent_image_tag_digest
+ value = var.cluster_shield_requests_cpu
}
set {
- name = "agent.resources.requests.cpu"
+ name = "clusterShield.resources.requests.memory"
type = "string"
- value = var.agent_requests_cpu
+ value = var.cluster_shield_requests_memory
}
set {
- name = "agent.resources.requests.memory"
+ name = "clusterShield.resources.limits.cpu"
type = "string"
- value = var.agent_requests_memory
+ value = var.cluster_shield_limits_cpu
}
set {
- name = "agent.resources.limits.cpu"
+ name = "clusterShield.resources.limits.memory"
type = "string"
- value = var.agent_limits_cpu
+ value = var.cluster_shield_limits_memory
}
set {
- name = "agent.resources.limits.memory"
+ name = "clusterShield.cluster_shield.sysdig_endpoint.region"
type = "string"
- value = var.agent_limits_memory
+ value = "custom"
}
set {
- name = "agent.slim.kmoduleImage.digest"
+ name = "clusterShield.cluster_shield.log_level"
type = "string"
- value = regex("@(.*)", var.kernel_module_image_tag_digest)[0]
+ value = "info"
}
set {
- name = "agent.ebpf.enabled"
- value = var.enable_universal_ebpf
+ name = "clusterShield.cluster_shield.features.admission_control.enabled"
+ value = var.cluster_shield_deploy
}
-
set {
- name = "agent.ebpf.kind"
- value = "universal_ebpf"
+ name = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
+ value = var.cluster_shield_deploy
}
- # Specific to SCC WP, enabled by default
+ set {
+ name = "clusterShield.cluster_shield.features.audit.enabled"
+ value = var.cluster_shield_deploy
+ }
+ set {
+ name = "clusterShield.cluster_shield.features.posture.enabled"
+ value = var.cluster_shield_deploy
+ }
+
+ # nodeAnalyzer has been replaced by the host_scanner and kspm_analyzer functionality of main agent daemonset
set {
name = "nodeAnalyzer.enabled"
- type = "auto"
+ value = false
+ }
+ # clusterScanner has been replaced by cluster_shield component
+ set {
+ name = "clusterScanner.enabled"
value = false
}
- # Values to be passed to the agent config map, e.g `kubectl describe configmap sysdig-agent -n ibm-observe`
- values = [
- yamlencode({
- agent = {
- sysdig = {
- settings = {
- blacklisted_ports = var.blacklisted_ports
- metrics_filter = var.metrics_filter
- container_filter = var.container_filter
- }
- tags = merge(
- var.agent_tags,
- var.add_cluster_name ? {
- "ibm-containers-kubernetes-cluster-name" = local.cluster_name
- } : {}
- )
- },
- tolerations = var.tolerations
- }
- })
+ # Had to use raw yaml here instead of converting HCL to yaml due to this issue with boolean getting converted to string which sysdig helm chart rejects:
+ # https://github.com/hashicorp/terraform-provider-helm/issues/1677
+ values = [<
-
-
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/solutions/fully-configurable/DA-docs.md b/solutions/fully-configurable/DA-docs.md
index 5e6fff24..5087fa5c 100644
--- a/solutions/fully-configurable/DA-docs.md
+++ b/solutions/fully-configurable/DA-docs.md
@@ -1,3 +1,12 @@
+## Key considerations
+
+- Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.
+- You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring.
+- You can use the [terraform-ibm-scc-workload-protection](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection) module to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.
+- Both instances must be in the same region.
+- You can connect only one Monitoring instance to one Workload Protection instance.
+- Connections can only be established between two new instances or between one new and one existing instance.
+
## When to Enable `enable_universal_ebpf`
For Clusters using Red Hat CoreOS (RHCOS) or RHEL 9 nodes with restricted outbound internet access, the monitoring agent pods may fail to start due to the inability to retrieve kernel modules which are necessary for the agent to connect with kernel.
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index 735b3dfc..ecaa6fc7 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -1,3 +1,3 @@
-# Cloud automation for Cloud Monitoring Agent (Fully configurable)
+# Cloud automation for Monitoring and Workload Protection agent (Fully configurable)
:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index bf545aac..1bdf8ae6 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -10,37 +10,47 @@ data "ibm_container_cluster_config" "cluster_config" {
}
module "monitoring_agent" {
- source = "../.."
- cluster_id = var.cluster_id
- cluster_resource_group_id = var.cluster_resource_group_id
- cluster_config_endpoint_type = var.cluster_config_endpoint_type
- wait_till = var.wait_till
- wait_till_timeout = var.wait_till_timeout
- is_vpc_cluster = var.is_vpc_cluster
- # Cloud Monitoring Agent
- name = var.name
- namespace = var.namespace
- cloud_monitoring_instance_endpoint_type = var.cloud_monitoring_instance_endpoint_type
- access_key = var.access_key
- existing_access_key_secret_name = var.existing_access_key_secret_name
- agent_tags = var.agent_tags
- add_cluster_name = var.add_cluster_name
- blacklisted_ports = var.blacklisted_ports
- metrics_filter = var.metrics_filter
- cloud_monitoring_instance_region = var.cloud_monitoring_instance_region
- tolerations = var.tolerations
- chart = var.chart
- chart_location = var.chart_location
- chart_version = var.chart_version
- image_registry_base_url = var.image_registry_base_url
- image_registry_namespace = var.image_registry_namespace
- agent_image_repository = var.agent_image_repository
- agent_image_tag_digest = var.agent_image_tag_digest
- kernel_module_image_tag_digest = var.kernel_module_image_tag_digest
- kernal_module_image_repository = var.kernal_module_image_repository
- agent_limits_cpu = var.agent_limits_cpu
- agent_limits_memory = var.agent_limits_memory
- agent_requests_cpu = var.agent_requests_cpu
- agent_requests_memory = var.agent_requests_memory
- enable_universal_ebpf = var.enable_universal_ebpf
+ source = "../.."
+ cluster_id = var.cluster_id
+ cluster_resource_group_id = var.cluster_resource_group_id
+ cluster_config_endpoint_type = var.cluster_config_endpoint_type
+ wait_till = var.wait_till
+ wait_till_timeout = var.wait_till_timeout
+ instance_region = var.instance_region
+ use_private_endpoint = var.use_private_endpoint
+ is_vpc_cluster = var.is_vpc_cluster
+ name = var.name
+ namespace = var.namespace
+ access_key = var.access_key
+ existing_access_key_secret_name = var.existing_access_key_secret_name
+ agent_tags = var.agent_tags
+ add_cluster_name = var.add_cluster_name
+ blacklisted_ports = var.blacklisted_ports
+ metrics_filter = var.metrics_filter
+ container_filter = var.container_filter
+ tolerations = var.tolerations
+ chart = var.chart
+ chart_location = var.chart_location
+ chart_version = var.chart_version
+ image_registry_base_url = var.image_registry_base_url
+ image_registry_namespace = var.image_registry_namespace
+ agent_image_repository = var.agent_image_repository
+ agent_image_tag_digest = var.agent_image_tag_digest
+ kernel_module_image_tag_digest = var.kernel_module_image_tag_digest
+ kernal_module_image_repository = var.kernal_module_image_repository
+ agent_limits_cpu = var.agent_limits_cpu
+ agent_limits_memory = var.agent_limits_memory
+ agent_requests_cpu = var.agent_requests_cpu
+ agent_requests_memory = var.agent_requests_memory
+ enable_universal_ebpf = var.enable_universal_ebpf
+ deployment_tag = var.deployment_tag
+ enable_host_scanner = var.enable_host_scanner
+ enable_kspm_analyzer = var.enable_kspm_analyzer
+ cluster_shield_deploy = var.cluster_shield_deploy
+ cluster_shield_image_tag_digest = var.cluster_shield_image_tag_digest
+ cluster_shield_image_repository = var.cluster_shield_image_repository
+ cluster_shield_requests_cpu = var.cluster_shield_requests_cpu
+ cluster_shield_limits_cpu = var.cluster_shield_limits_cpu
+ cluster_shield_requests_memory = var.cluster_shield_requests_memory
+ cluster_shield_limits_memory = var.cluster_shield_limits_memory
}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 35b46834..395ede34 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -1,16 +1,16 @@
+##############################################################################
+# Cluster variables
+##############################################################################
+
variable "ibmcloud_api_key" {
type = string
description = "The IBM Cloud API key."
sensitive = true
}
-##############################################################################
-# Cluster variables
-##############################################################################
-
variable "cluster_id" {
type = string
- description = "The ID of the cluster to deploy the agent in."
+ description = "The ID of the cluster you wish to deploy the agent in."
nullable = false
}
@@ -21,108 +21,111 @@ variable "cluster_resource_group_id" {
}
variable "cluster_config_endpoint_type" {
- description = "Specify the type of endpoint to use to access the cluster configuration. Possible values: `default`, `private`, `vpe`, `link`. The `default` value uses the default endpoint of the cluster."
+ description = "Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster."
type = string
- default = "private"
+ default = "default"
nullable = false # use default if null is passed in
+ validation {
+ error_message = "Invalid Endpoint Type! Valid values are 'default', 'private', 'vpe', or 'link'"
+ condition = contains(["default", "private", "vpe", "link"], var.cluster_config_endpoint_type)
+ }
}
variable "is_vpc_cluster" {
+ description = "Specify true if the target cluster is a VPC cluster, false if it is a classic cluster."
type = bool
- description = "Specify true if the target cluster for the DA is a VPC cluster, false if it is classic cluster."
default = true
+ nullable = false
}
variable "wait_till" {
- description = "Specify the stage when Terraform should mark the cluster resource creation as completed. Supported values: `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady`, `Normal`."
+ description = "To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported values are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal`"
type = string
default = "Normal"
+ nullable = false
+
+ validation {
+ error_message = "'wait_till' value must be one of 'MasterNodeReady', 'OneWorkerNodeReady', 'IngressReady' or 'Normal'."
+ condition = contains([
+ "MasterNodeReady",
+ "OneWorkerNodeReady",
+ "IngressReady",
+ "Normal"
+ ], var.wait_till)
+ }
}
variable "wait_till_timeout" {
description = "Timeout for wait_till in minutes."
type = number
default = 90
+ nullable = false
}
##############################################################################
-# Cloud Monitoring variables
+# Common agent variables
##############################################################################
-variable "access_key" {
+variable "instance_region" {
type = string
- description = "Access key used by the IBM Cloud Monitoring agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored on a new secret on the cluster if passed."
- sensitive = true
- default = null
+ description = "The region of the IBM Cloud Monitoring instance that you want to send metrics to. This is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#key-considerations)."
+ nullable = false
}
-variable "existing_access_key_secret_name" {
+variable "use_private_endpoint" {
+ type = bool
+ description = "Whether send data over a private endpoint or not. To use a private endpoint, you must enable [virtual routing and forwarding (VRF)](https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint) for your account."
+ default = true
+ nullable = false
+}
+
+variable "access_key" {
type = string
- description = "An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an access-key entry."
+ description = "Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance."
+ sensitive = true
default = null
validation {
condition = (
(var.access_key != null && var.access_key != "") ||
(var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "")
)
- error_message = "Either `access_key` or `existing_access_key_secret_name` must be provided and non-empty."
+ error_message = "Either 'access_key' or 'existing_access_key_secret_name' must be provided and non-empty."
}
}
-variable "cloud_monitoring_instance_region" {
+variable "existing_access_key_secret_name" {
type = string
- description = "The name of the region where the IBM Cloud Monitoring instance is created. This name is used to construct the ingestion endpoint."
- nullable = false
+ description = "An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required."
+ default = null
}
-variable "cloud_monitoring_instance_endpoint_type" {
+variable "name" {
+ description = "The name to give the helm release."
type = string
- description = "Specify the IBM Cloud Monitoring instance endpoint type (`public` or `private`) to use to construct the ingestion endpoint."
- default = "private"
-}
-
-variable "blacklisted_ports" {
- type = list(number)
- description = "To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports)."
- default = []
-}
-
-variable "metrics_filter" {
- type = list(object({
- include = optional(string)
- exclude = optional(string)
- }))
- description = "To filter on custom metrics, specify the IBM Cloud Monitoring metrics to include or exclude. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics) and [here](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-types.md)."
- default = [] # [{ exclude = "metricA.*", include = "metricB.*" }]
+ default = "sysdig-agent"
}
variable "agent_tags" {
- description = "Map of tags to associate to all metrics that the agent collects. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag, e.g `{'environment': 'production'}."
+ description = "Map of tags to associate to the agent. For example, `{\"environment\": \"production\"}`. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag."
type = map(string)
default = {}
}
variable "add_cluster_name" {
type = bool
- description = "If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`."
+ description = "If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`."
default = true
}
-variable "name" {
- description = "The name of the IBM Cloud Monitoring agent that is used to name the Kubernetes and Helm resources on the cluster."
- type = string
- default = "sysdig-agent"
-}
-
variable "namespace" {
type = string
- description = "The namespace to deploy the IBM Cloud Monitoring agent in. Default value: `ibm-observe`."
+ description = "Namespace to deploy the agent to."
default = "ibm-observe"
nullable = false
}
variable "tolerations" {
- description = "The list of tolerations to apply to the IBM Cloud Monitoring agent. The default operator value `Exists` matches any taint on any node except the master node. [Learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)"
+ description = "List of tolerations to apply to the agent." # TODO: Add learn more doc and ensure use textbox in catalog json
type = list(object({
key = optional(string)
operator = optional(string)
@@ -130,111 +133,206 @@ variable "tolerations" {
effect = optional(string)
tolerationSeconds = optional(number)
}))
- default = [
- {
- operator = "Exists"
+ default = [{
+ operator = "Exists"
},
{
operator = "Exists"
effect = "NoSchedule"
key = "node-role.kubernetes.io/master"
- }
- ]
+ }]
}
variable "chart" {
- description = "The name of the Helm chart to deploy."
+ description = "The name of the Helm chart to deploy. Use `chart_location` to specify helm chart location."
type = string
- default = "sysdig-deploy" # Replace with the actual chart location if different
+ default = "sysdig-deploy"
nullable = false
}
variable "chart_location" {
- description = "The location of the Cloud Monitoring agent helm chart."
+ description = "The location of the agent helm chart."
type = string
- default = "https://charts.sysdig.com" # Replace with the actual repository URL if different
+ default = "https://charts.sysdig.com"
nullable = false
}
variable "chart_version" {
- description = "The version of the Cloud Monitoring agent helm chart to deploy."
+ description = "The version of the agent helm chart to deploy."
type = string
- default = "1.89.1" # registryUrl: charts.sysdig.com
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the registryUrl comment on next line
+ default = "1.89.1" # registryUrl: charts.sysdig.com
+ nullable = false
}
variable "image_registry_base_url" {
- description = "The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc."
+ description = "The image registry base URL to pull all images from. For example `icr.io` or `quay.io`."
type = string
default = "icr.io"
nullable = false
}
variable "image_registry_namespace" {
- description = "The namespace within the image registry to pull the Cloud Monitoring agent images from."
+ description = "The namespace within the image registry to pull all images from."
type = string
default = "ext/sysdig"
nullable = false
}
variable "agent_image_repository" {
- description = "The image repository to pull the Cloud Monitoring agent image from."
+ description = "The image repository to pull the agent image from."
type = string
default = "agent-slim"
nullable = false
}
variable "agent_image_tag_digest" {
- description = "The namespace within the image registry to pull the Cloud Monitoring agent images from."
+ description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
type = string
- default = "14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" # datasource: icr.io/ext/sysdig/agent-slim
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" # datasource: icr.io/ext/sysdig/agent-slim
+ nullable = false
}
variable "kernel_module_image_tag_digest" {
- description = "The image tag digest to use for the Cloud Monitoring agent kernel module used by the initContainer."
+ description = "The image tag or digest to use for the agent kernel module used by the initContainer. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`"
type = string
- default = "14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68" # datasource: icr.io/ext/sysdig/agent-kmodule
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68" # datasource: icr.io/ext/sysdig/agent-kmodule
+ nullable = false
}
variable "kernal_module_image_repository" {
- description = "The image repository to pull the Cloud Monitoring agent kernal module initContainer image from."
+ description = "The image repository to pull the agent kernal module initContainer image from."
type = string
default = "agent-kmodule"
nullable = false
}
-########################################################################################################################
-# Resource Management Variables
-########################################################################################################################
-
variable "agent_requests_cpu" {
type = string
- description = "Specifies the CPU requested to run in a node for the agent."
+ description = "Specify CPU resource requests for the agent. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements)."
default = "1"
}
variable "agent_limits_cpu" {
type = string
- description = "Specifies the CPU limit for the agent."
+ description = "Specify CPU resource limits for the agent. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements)."
default = "1"
}
variable "agent_requests_memory" {
type = string
- description = "Specifies the memory requested to run in a node for the agent."
+ description = "Specify memory resource requests for the agent. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements)."
default = "1024Mi"
}
variable "agent_limits_memory" {
type = string
- description = "Specifies the memory limit for the agent."
+ description = "Specify memory resource limits for the agent. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements)."
default = "1024Mi"
}
variable "enable_universal_ebpf" {
type = bool
- description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+ description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
default = true
}
+
+variable "deployment_tag" {
+ type = string
+ description = "Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...)."
+ default = "terraform"
+}
+
+##############################################################################
+# Metrics related variables
+##############################################################################
+
+variable "blacklisted_ports" {
+ type = list(number)
+ description = "To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports"
+ default = []
+}
+
+variable "metrics_filter" {
+ type = list(object({
+ include = optional(string)
+ exclude = optional(string)
+ }))
+ description = "To filter custom metrics you can specify which metrics to include and exclude. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#metrics_filter)."
+ default = []
+}
+
+variable "container_filter" {
+ type = list(object({
+ type = string
+ parameter = string
+ name = string
+ }))
+ description = "Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data"
+ default = []
+ validation {
+ condition = length(var.container_filter) == 0 || can(regex("^(include|exclude)$", var.container_filter[0].type))
+ error_message = "Invalid input for 'container_filter'. Valid options for 'type' are: `include` and `exclude`."
+ }
+}
+
+##############################################################################
+# SCC-WP related variables
+##############################################################################
+
+variable "enable_host_scanner" {
+ type = bool
+ description = "Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results."
+ default = true
+}
+
+variable "enable_kspm_analyzer" {
+ type = bool
+ description = "Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results."
+ default = true
+}
+
+variable "cluster_shield_deploy" {
+ type = bool
+ description = "Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm."
+ default = true
+}
+
+variable "cluster_shield_image_tag_digest" {
+ description = "The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+ type = string
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "1.13.0@sha256:0c8ee65a473e51b2a2c7bddf4e89008299cf203c50cd80fd97503cb121c1230a" # datasource: icr.io/ext/sysdig/cluster-shield
+}
+
+variable "cluster_shield_image_repository" {
+ description = "The image repository to pull the Cluster Shield image from."
+ type = string
+ default = "cluster-shield"
+}
+
+variable "cluster_shield_requests_cpu" {
+ type = string
+ description = "Specify CPU resource requests for the cluster shield pods."
+ default = "500m"
+}
+
+variable "cluster_shield_limits_cpu" {
+ type = string
+ description = "Specify CPU resource limits for the cluster shield pods."
+ default = "1500m"
+}
+
+variable "cluster_shield_requests_memory" {
+ type = string
+ description = "Specify memory resource requests for the cluster shield pods."
+ default = "512Mi"
+}
+
+variable "cluster_shield_limits_memory" {
+ type = string
+ description = "Specify memory resource limits for the cluster shield pods."
+ default = "1536Mi"
+}
diff --git a/tests/other_test.go b/tests/other_test.go
new file mode 100644
index 00000000..9776a411
--- /dev/null
+++ b/tests/other_test.go
@@ -0,0 +1,37 @@
+// Tests in this file are NOT run in the PR pipeline. They are run in the continuous testing pipeline along with the ones in pr_test.go
+package test
+
+import (
+ "math/rand/v2"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+)
+
+// Adding this test to other_test.go as the DA tests in pr_test.go essentially cover the same test
+func TestRunAgentVpcOcp(t *testing.T) {
+ t.Parallel()
+
+ options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+ Testing: t,
+ TerraformDir: terraformDirMonitoringAgentROKS,
+ Prefix: "obs-agent-ocp",
+ ResourceGroup: resourceGroup,
+ Region: validRegions[rand.IntN(len(validRegions))],
+ IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+ List: IgnoreUpdates,
+ },
+ IgnoreAdds: testhelper.Exemptions{
+ List: IgnoreAdds,
+ },
+ CloudInfoService: sharedInfoSvc,
+ })
+ options.TerraformVars = map[string]interface{}{
+ "ocp_entitlement": "cloud_pak",
+ }
+
+ output, err := options.RunTestConsistency()
+ assert.Nil(t, err, "This should not have errored")
+ assert.NotNil(t, output, "Expected some output")
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 6225af20..08dd6207 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -27,15 +27,26 @@ const terraformDirMonitoringAgentROKS = "examples/obs-agent-ocp"
var sharedInfoSvc *cloudinfo.CloudInfoService
-// Currently only including regions that Event Notification support
var validRegions = []string{
"au-syd",
+ "us-east",
"eu-gb",
"eu-de",
"eu-es",
"us-south",
+ "jp-osa",
+ "jp-tok",
+ "br-sao",
+ "ca-tor",
}
+var IgnoreUpdates = []string{
+ "module.monitoring_agent.helm_release.cloud_monitoring_agent",
+}
+
+// workaround for https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues/243
+var IgnoreAdds = []string{"module.scc_wp.restapi_object.cspm"}
+
// TestMain will be run before any parallel tests, used to set up a shared InfoService object to track region usage
// for multiple tests
func TestMain(m *testing.M) {
@@ -44,40 +55,15 @@ func TestMain(m *testing.M) {
os.Exit(m.Run())
}
-func setupOptions(t *testing.T, prefix string, terraformDir string) *testhelper.TestOptions {
-
- options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
- Testing: t,
- TerraformDir: terraformDir,
- Prefix: prefix,
- ResourceGroup: resourceGroup,
- IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
- List: []string{
- "module.monitoring_agent.helm_release.cloud_monitoring_agent",
- },
- },
- CloudInfoService: sharedInfoSvc,
- })
-
- // add ocp entitlement to keep costs down for tests
- if terraformDir == terraformDirMonitoringAgentROKS {
- options.TerraformVars["ocp_entitlement"] = "cloud_pak"
- }
-
- options.TerraformVars["enable_platform_metrics"] = false
-
- return options
-}
-
func TestFullyConfigurableSolution(t *testing.T) {
t.Parallel()
var region = validRegions[rand.IntN(len(validRegions))]
// ------------------------------------------------------------------------------------------------------
- // Deploy SLZ ROKS Cluster and Monitoring instances since it is needed to deploy Monitoring Agent
+ // Deploy OCP Cluster and Monitoring instance since it is needed to deploy agent
// ------------------------------------------------------------------------------------------------------
- prefix := fmt.Sprintf("slz-%s", strings.ToLower(random.UniqueId()))
+ prefix := fmt.Sprintf("ocp-%s", strings.ToLower(random.UniqueId()))
realTerraformDir := "./resources"
tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
@@ -117,9 +103,7 @@ func TestFullyConfigurableSolution(t *testing.T) {
fullyConfigurableSolutionKubeconfigDir + "/*.*",
},
IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
- List: []string{
- "module.monitoring_agent.helm_release.cloud_monitoring_agent",
- },
+ List: IgnoreUpdates,
},
ResourceGroup: resourceGroup,
TemplateFolder: fullyConfigurableSolutionDir,
@@ -131,7 +115,7 @@ func TestFullyConfigurableSolution(t *testing.T) {
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
- {Name: "cloud_monitoring_instance_region", Value: region, DataType: "string"},
+ {Name: "instance_region", Value: region, DataType: "string"},
{Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_id"), DataType: "string"},
{Name: "cluster_resource_group_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_resource_group_id"), DataType: "string"},
{Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string", Secure: true},
@@ -160,10 +144,10 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) {
var region = validRegions[rand.IntN(len(validRegions))]
// ------------------------------------------------------------------------------------------------------
- // Deploy SLZ ROKS Cluster and Monitoring instances since it is needed to deploy Monitoring Agent
+ // Deploy OCP Cluster and Monitoring instance since it is needed to deploy agent
// ------------------------------------------------------------------------------------------------------
- prefix := fmt.Sprintf("slz-%s", strings.ToLower(random.UniqueId()))
+ prefix := fmt.Sprintf("ocp-%s", strings.ToLower(random.UniqueId()))
realTerraformDir := "./resources"
tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
@@ -209,15 +193,13 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) {
WaitJobCompleteMinutes: 60,
Region: region,
IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
- List: []string{
- "module.monitoring_agent.helm_release.cloud_monitoring_agent",
- },
+ List: IgnoreUpdates,
},
})
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
- {Name: "cloud_monitoring_instance_region", Value: region, DataType: "string"},
+ {Name: "instance_region", Value: region, DataType: "string"},
{Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_id"), DataType: "string"},
{Name: "cluster_resource_group_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_resource_group_id"), DataType: "string"},
{Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string", Secure: true},
@@ -243,16 +225,21 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) {
func TestRunAgentVpcKubernetes(t *testing.T) {
t.Parallel()
- options := setupOptions(t, "obs-agent-iks", terraformDirMonitoringAgentIKS)
- output, err := options.RunTestConsistency()
- assert.Nil(t, err, "This should not have errored")
- assert.NotNil(t, output, "Expected some output")
-}
-
-func TestRunAgentVpcOcp(t *testing.T) {
- t.Parallel()
+ options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+ Testing: t,
+ TerraformDir: terraformDirMonitoringAgentIKS,
+ Prefix: "obs-agent-vpc-iks",
+ Region: validRegions[rand.IntN(len(validRegions))],
+ ResourceGroup: resourceGroup,
+ IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+ List: IgnoreUpdates,
+ },
+ IgnoreAdds: testhelper.Exemptions{
+ List: IgnoreAdds,
+ },
+ CloudInfoService: sharedInfoSvc,
+ })
- options := setupOptions(t, "obs-agent-roks", terraformDirMonitoringAgentROKS)
output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
@@ -261,7 +248,24 @@ func TestRunAgentVpcOcp(t *testing.T) {
func TestRunAgentClassicKubernetes(t *testing.T) {
t.Parallel()
- options := setupOptions(t, "obs-agent-iks", terraformDirMonitoringAgentIKS)
+ options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+ Testing: t,
+ TerraformDir: terraformDirMonitoringAgentIKS,
+ Prefix: "obs-agent-iks",
+ Region: "au-syd",
+ ResourceGroup: resourceGroup,
+ IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+ List: IgnoreUpdates,
+ },
+ IgnoreAdds: testhelper.Exemptions{
+ List: IgnoreAdds,
+ },
+ CloudInfoService: sharedInfoSvc,
+ })
+ options.TerraformVars = map[string]interface{}{
+ "datacenter": "syd01",
+ }
+
output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
diff --git a/tests/resources/main.tf b/tests/resources/main.tf
index 78494dea..93c79af5 100644
--- a/tests/resources/main.tf
+++ b/tests/resources/main.tf
@@ -26,12 +26,21 @@ resource "ibm_is_vpc" "vpc" {
tags = var.resource_tags
}
+# Public gateway required when deploying a cluster with public endpoint enabled otherwise ingress goes into degraded state
+resource "ibm_is_public_gateway" "gateway" {
+ name = "${var.prefix}-gateway-1"
+ vpc = ibm_is_vpc.vpc.id
+ resource_group = module.resource_group.resource_group_id
+ zone = "${var.region}-1"
+}
+
resource "ibm_is_subnet" "subnet_zone_1" {
name = "${var.prefix}-subnet-1"
vpc = ibm_is_vpc.vpc.id
resource_group = module.resource_group.resource_group_id
zone = "${var.region}-1"
total_ipv4_address_count = 256
+ public_gateway = ibm_is_public_gateway.gateway.id
}
########################################################################################################################
@@ -80,12 +89,11 @@ module "ocp_base" {
##############################################################################
module "cloud_monitoring" {
- source = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
- version = "3.5.3"
- instance_name = "${var.prefix}-cloud-monitoring"
- resource_group_id = module.resource_group.resource_group_id
- region = var.region
- plan = "graduated-tier"
- tags = var.resource_tags
- enable_platform_metrics = false
+ source = "terraform-ibm-modules/cloud-monitoring/ibm"
+ version = "1.3.0"
+ instance_name = "${var.prefix}-cloud-monitoring"
+ resource_group_id = module.resource_group.resource_group_id
+ resource_tags = var.resource_tags
+ region = var.region
+ plan = "graduated-tier"
}
diff --git a/tests/resources/outputs.tf b/tests/resources/outputs.tf
index adf05fa8..bb82ba67 100644
--- a/tests/resources/outputs.tf
+++ b/tests/resources/outputs.tf
@@ -4,7 +4,7 @@
output "region" {
value = var.region
- description = "Region where SLZ ROKS Cluster is deployed."
+ description = "Region where OCP Cluster is deployed."
}
output "cluster_id" {
@@ -12,11 +12,6 @@ output "cluster_id" {
description = "ID of the cluster."
}
-output "cluster_crn" {
- value = module.ocp_base.cluster_crn
- description = "CRN of the cluster."
-}
-
output "cluster_resource_group_id" {
value = module.ocp_base.resource_group_id
description = "Resource group ID of the cluster."
@@ -27,11 +22,6 @@ output "cluster_name" {
description = "Name of the cluster."
}
-output "instance_id" {
- value = module.cloud_monitoring.crn
- description = "The cloud monitoring instance crn."
-}
-
output "access_key" {
value = module.cloud_monitoring.access_key
description = "The access key of the provisioned IBM Cloud Monitoring instance."
diff --git a/tests/scripts/pre-validation-deploy-base-ocp-and-monitoring-instances.sh b/tests/scripts/pre-validation-deploy-base-ocp-and-monitoring-instances.sh
index 3758fed4..47305c44 100755
--- a/tests/scripts/pre-validation-deploy-base-ocp-and-monitoring-instances.sh
+++ b/tests/scripts/pre-validation-deploy-base-ocp-and-monitoring-instances.sh
@@ -30,7 +30,7 @@ TF_VARS_FILE="terraform.tfvars"
cluster_id_value=$(terraform output -state=terraform.tfstate -raw cluster_id)
cluster_resource_group_id_var_name="cluster_resource_group_id"
cluster_resource_group_id_value=$(terraform output -state=terraform.tfstate -raw cluster_resource_group_id)
- cloud_monitoring_instance_region_var_name="cloud_monitoring_instance_region"
+ cloud_monitoring_instance_region_var_name="instance_region"
access_key_var_name="access_key"
access_key_value=$(terraform output -state=terraform.tfstate -raw access_key)
diff --git a/variables.tf b/variables.tf
index 03c96f77..a6e6f7ec 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,13 +4,13 @@
variable "cluster_id" {
type = string
- description = "The ID of the cluster you wish to deploy the agent in"
+ description = "The ID of the cluster you wish to deploy the agent in."
nullable = false
}
variable "cluster_resource_group_id" {
type = string
- description = "The Resource Group ID of the cluster"
+ description = "The resource group ID of the cluster."
nullable = false
}
@@ -26,18 +26,20 @@ variable "cluster_config_endpoint_type" {
}
variable "is_vpc_cluster" {
- description = "Specify true if the target cluster for the monitoring agent is a VPC cluster, false if it is a classic cluster."
+ description = "Specify true if the target cluster is a VPC cluster, false if it is a classic cluster."
type = bool
default = true
+ nullable = false
}
variable "wait_till" {
- description = "To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal`"
+ description = "To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported values are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal`"
type = string
default = "Normal"
+ nullable = false
validation {
- error_message = "`wait_till` value must be one of `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` or `Normal`."
+ error_message = "'wait_till' value must be one of 'MasterNodeReady', 'OneWorkerNodeReady', 'IngressReady' or 'Normal'."
condition = contains([
"MasterNodeReady",
"OneWorkerNodeReady",
@@ -51,15 +53,36 @@ variable "wait_till_timeout" {
description = "Timeout for wait_till in minutes."
type = number
default = 90
+ nullable = false
}
##############################################################################
-# Cloud Monitoring variables
+# Common agent variables
##############################################################################
+variable "instance_region" {
+ type = string
+ description = "The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent."
+ nullable = false
+}
+
+variable "use_private_endpoint" {
+ type = bool
+ description = "Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint."
+ default = true
+ nullable = false
+}
+
+variable "use_scc_wp_endpoint" {
+ type = bool
+ description = "By default an IBM Cloud Monitoring endpoint is used and is constructed from the `instance_region` and `use_private_endpoint` inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true."
+ default = false
+ nullable = false
+}
+
variable "access_key" {
type = string
- description = "Access key used by the IBM Cloud Monitoring agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored on a new secret on the cluster if passed."
+ description = "Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance."
sensitive = true
default = null
validation {
@@ -67,88 +90,43 @@ variable "access_key" {
(var.access_key != null && var.access_key != "") ||
(var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "")
)
- error_message = "Either `access_key` or `existing_access_key_secret_name` must be provided and non-empty."
+ error_message = "Either 'access_key' or 'existing_access_key_secret_name' must be provided and non-empty."
}
}
variable "existing_access_key_secret_name" {
type = string
- description = "An alternative to using the Sysdig Agent `access_key`. Specify the name of a Kubernetes secret containing an access-key entry. Either `access_key` or `existing_access_key_secret_name` is required."
+ description = "An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required."
default = null
}
-variable "cloud_monitoring_instance_region" {
- type = string
- description = "The IBM Cloud Monitoring instance region. Used to construct the ingestion endpoint."
- nullable = false
-}
-
-variable "cloud_monitoring_instance_endpoint_type" {
+variable "name" {
+ description = "The name to give the agent helm release."
type = string
- description = "Specify the IBM Cloud Monitoring instance endpoint type (public or private) to use. Used to construct the ingestion endpoint."
- default = "private"
- validation {
- error_message = "The specified endpoint type can be private or public only."
- condition = contains(["private", "public"], var.cloud_monitoring_instance_endpoint_type)
- }
-}
-
-variable "blacklisted_ports" {
- type = list(number)
- description = "To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports)."
- default = []
-}
-
-variable "metrics_filter" {
- type = list(object({
- include = optional(string)
- exclude = optional(string)
- }))
- description = "To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics."
- default = []
-}
-
-variable "container_filter" {
- type = list(object({
- type = string
- parameter = string
- name = string
- }))
- description = "To filter custom containers, specify which containers to include or exclude from metrics collection for the cloud monitoring agent. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data."
- default = []
- validation {
- condition = length(var.container_filter) == 0 || can(regex("^(include|exclude)$", var.container_filter[0].type))
- error_message = "Invalid input for `container_filter`. Valid options for 'type' are: `include` and `exclude`. If empty, no containers are included or excluded."
- }
+ default = "sysdig-agent"
}
variable "agent_tags" {
- description = "Map of tags to associate to all metrics that the agent collects. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag, e.g `{'environment': 'production'}."
+ description = "Map of tags to associate to the agent. For example, {\"environment\": \"production\"}. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag."
type = map(string)
default = {}
}
variable "add_cluster_name" {
type = bool
- description = "If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`."
+ description = "If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`."
default = true
}
-variable "name" {
- description = "Cloud Monitoring agent name. Used for naming all kubernetes and helm resources on the cluster."
- type = string
- default = "sysdig-agent"
-}
-
variable "namespace" {
type = string
- description = "Namespace where to deploy the Cloud Monitoring agent. Default value is 'ibm-observe'"
+ description = "Namespace to deploy the agent to."
default = "ibm-observe"
nullable = false
}
variable "tolerations" {
- description = "List of tolerations to apply to Cloud Monitoring agent."
+ description = "List of tolerations to apply to the agent."
type = list(object({
key = optional(string)
operator = optional(string)
@@ -167,98 +145,196 @@ variable "tolerations" {
}
variable "chart" {
- description = "The name of the Helm chart to deploy."
+ description = "The name of the Helm chart to deploy. Use `chart_location` to specify helm chart location."
type = string
- default = "sysdig-deploy" # Replace with the actual chart location if different
+ default = "sysdig-deploy"
nullable = false
}
variable "chart_location" {
- description = "The location of the Cloud Monitoring agent helm chart."
+ description = "The location of the agent helm chart."
type = string
- default = "https://charts.sysdig.com" # Replace with the actual repository URL if different
+ default = "https://charts.sysdig.com"
nullable = false
}
variable "chart_version" {
- description = "The version of the Cloud Monitoring agent helm chart to deploy."
+ description = "The version of the agent helm chart to deploy."
type = string
- default = "1.89.1" # registryUrl: charts.sysdig.com
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the registryUrl comment on next line
+ default = "1.89.1" # registryUrl: charts.sysdig.com
+ nullable = false
}
variable "image_registry_base_url" {
- description = "The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc."
+ description = "The image registry base URL to pull all images from. For example `icr.io` or `quay.io`."
type = string
default = "icr.io"
nullable = false
}
variable "image_registry_namespace" {
- description = "The namespace within the image registry to pull the Cloud Monitoring agent images from."
+ description = "The namespace within the image registry to pull all images from."
type = string
default = "ext/sysdig"
nullable = false
}
variable "agent_image_repository" {
- description = "The image repository to pull the Cloud Monitoring agent image from."
+ description = "The image repository to pull the agent image from."
type = string
default = "agent-slim"
nullable = false
}
variable "agent_image_tag_digest" {
- description = "The image tag digest to use for the Cloud Monitoring agent."
+ description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
type = string
- default = "14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" # datasource: icr.io/ext/sysdig/agent-slim
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" # datasource: icr.io/ext/sysdig/agent-slim
+ nullable = false
}
variable "kernel_module_image_tag_digest" {
- description = "The image tag digest to use for the Cloud Monitoring agent kernel module used by the initContainer."
+ description = "The image tag or digest to use for the agent kernel module used by the initContainer. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`"
type = string
- default = "14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68" # datasource: icr.io/ext/sysdig/agent-kmodule
- nullable = false
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "14.0.1@sha256:9b1e900e2cd47cabe31b36f6ed41705b33e849de0639b29b326fb73e67ed8b68" # datasource: icr.io/ext/sysdig/agent-kmodule
+ nullable = false
}
variable "kernal_module_image_repository" {
- description = "The image repository to pull the Cloud Monitoring agent kernal module initContainer image from."
+ description = "The image repository to pull the agent kernal module initContainer image from."
type = string
default = "agent-kmodule"
nullable = false
}
-########################################################################################################################
-# Resource Management Variables
-########################################################################################################################
-
variable "agent_requests_cpu" {
type = string
- description = "Specifies the CPU requested to run in a node for the agent."
+ description = "Specify CPU resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements"
default = "1"
}
variable "agent_limits_cpu" {
type = string
- description = "Specifies the CPU limit for the agent."
+ description = "Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements"
default = "1"
}
variable "agent_requests_memory" {
type = string
- description = "Specifies the memory requested to run in a node for the agent."
+ description = "Specify memory resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements"
default = "1024Mi"
}
variable "agent_limits_memory" {
type = string
- description = "Specifies the memory limit for the agent."
+ description = "Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements"
default = "1024Mi"
}
variable "enable_universal_ebpf" {
type = bool
- description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+ description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf"
+ default = true
+}
+
+variable "deployment_tag" {
+ type = string
+ description = "Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...)."
+ default = "terraform"
+}
+
+##############################################################################
+# Metrics related variables
+##############################################################################
+
+variable "blacklisted_ports" {
+ type = list(number)
+ description = "To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports"
+ default = []
+}
+
+variable "metrics_filter" {
+ type = list(object({
+ include = optional(string)
+ exclude = optional(string)
+ }))
+ description = "To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics"
+ default = []
+ # TODO: Add variable validation to ensure only include or exclude is in each item - not both
+}
+
+variable "container_filter" {
+ type = list(object({
+ type = string
+ parameter = string
+ name = string
+ }))
+ description = "Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data"
+ default = []
+ validation {
+ condition = length(var.container_filter) == 0 || can(regex("^(include|exclude)$", var.container_filter[0].type))
+ error_message = "Invalid input for 'container_filter'. Valid options for 'type' are: `include` and `exclude`."
+ }
+}
+
+##############################################################################
+# SCC-WP related variables
+##############################################################################
+
+variable "enable_host_scanner" {
+ type = bool
+ description = "Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results."
+ default = true
+}
+
+variable "enable_kspm_analyzer" {
+ type = bool
+ description = "Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results."
default = true
}
+
+variable "cluster_shield_deploy" {
+ type = bool
+ description = "Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm."
+ default = true
+}
+
+variable "cluster_shield_image_tag_digest" {
+ description = "The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+ type = string
+ # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
+ default = "1.13.0@sha256:0c8ee65a473e51b2a2c7bddf4e89008299cf203c50cd80fd97503cb121c1230a" # datasource: icr.io/ext/sysdig/cluster-shield
+}
+
+variable "cluster_shield_image_repository" {
+ description = "The image repository to pull the Cluster Shield image from."
+ type = string
+ default = "cluster-shield"
+}
+
+variable "cluster_shield_requests_cpu" {
+ type = string
+ description = "Specify CPU resource requests for the cluster shield pods."
+ default = "500m"
+}
+
+variable "cluster_shield_limits_cpu" {
+ type = string
+ description = "Specify CPU resource limits for the cluster shield pods."
+ default = "1500m"
+}
+
+variable "cluster_shield_requests_memory" {
+ type = string
+ description = "Specify memory resource requests for the cluster shield pods."
+ default = "512Mi"
+}
+
+variable "cluster_shield_limits_memory" {
+ type = string
+ description = "Specify memory resource limits for the cluster shield pods."
+ default = "1536Mi"
+}
diff --git a/version.tf b/version.tf
index 3bfcce00..9ff5974f 100644
--- a/version.tf
+++ b/version.tf
@@ -12,7 +12,7 @@ terraform {
required_providers {
ibm = {
source = "ibm-cloud/ibm"
- version = ">= 1.79.0, <2.0.0"
+ version = ">= 1.79.2, <2.0.0"
}
helm = {
source = "hashicorp/helm"