diff --git a/README.md b/README.md
index 96f2ff22..06370253 100644
--- a/README.md
+++ b/README.md
@@ -135,7 +135,7 @@ No modules.
| [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
| [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
| [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
-| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf | `bool` | `true` | no |
+| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no |
| [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
| [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull all images from. For example `icr.io` or `quay.io`. | `string` | `"icr.io"` | no |
| [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
@@ -146,6 +146,7 @@ No modules.
| [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | list(object({
include = optional(string)
exclude = optional(string)
})) | `[]` | no |
| [name](#input\_name) | The name to give the agent helm release. | `string` | `"sysdig-agent"` | no |
| [namespace](#input\_namespace) | Namespace to deploy the agent to. | `string` | `"ibm-observe"` | no |
+| [prometheus\_config](#input\_prometheus\_config) | Prometheus configuration for the agent. If you want to enable Prometheus configuration provide the prometheus.yaml file content in `hcl` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus_config). | `map(any)` | `{}` | no |
| [tolerations](#input\_tolerations) | List of tolerations to apply to the agent. | list(object({
key = optional(string)
operator = optional(string)
value = optional(string)
effect = optional(string)
tolerationSeconds = optional(number)
})) | [
{
"operator": "Exists"
},
{
"effect": "NoSchedule",
"key": "node-role.kubernetes.io/master",
"operator": "Exists"
}
]
| no |
| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. | `bool` | `true` | no |
| [use\_scc\_wp\_endpoint](#input\_use\_scc\_wp\_endpoint) | By default an IBM Cloud Monitoring endpoint is used and is constructed from the `instance_region` and `use_private_endpoint` inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. | `bool` | `false` | no |
diff --git a/examples/obs-agent-iks/main.tf b/examples/obs-agent-iks/main.tf
index c69776a4..d2a2711d 100644
--- a/examples/obs-agent-iks/main.tf
+++ b/examples/obs-agent-iks/main.tf
@@ -145,4 +145,36 @@ module "monitoring_agents" {
is_vpc_cluster = var.is_vpc_cluster
access_key = module.cloud_monitoring.access_key
instance_region = var.region
+ prometheus_config = {
+ scrape_configs = [
+ {
+ job_name = "testing-prometheus-scrape"
+ tls_config = {
+ insecure_skip_verify = true
+ }
+ kubernetes_sd_configs = [
+ {
+ role = "pod"
+ }
+ ]
+ relabel_configs = [
+ {
+ action = "keep"
+ source_labels = ["__meta_kubernetes_pod_host_ip"]
+ regex = "__HOSTIPS__"
+ },
+ {
+ action = "drop"
+ source_labels = ["__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"]
+ regex = "true"
+ },
+ {
+ source_labels = ["__meta_kubernetes_pod_phase"]
+ action = "keep"
+ regex = "Running"
+ }
+ ]
+ }
+ ]
+ }
}
diff --git a/main.tf b/main.tf
index 5b2b8325..2cb9cabe 100644
--- a/main.tf
+++ b/main.tf
@@ -253,6 +253,12 @@ resource "helm_release" "cloud_monitoring_agent" {
"path": "/tmp"
"name": "tmp-vol"
%{endif~}
+ "prometheus":
+ "file": ${length(var.prometheus_config) > 0}
+ "yaml":
+%{for line in split("\n", yamlencode(var.prometheus_config))~}
+ ${line}
+%{endfor~}
EOT
]
diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md
index 7304602b..3e80bd8b 100644
--- a/solutions/fully-configurable/DA-types.md
+++ b/solutions/fully-configurable/DA-types.md
@@ -47,3 +47,50 @@ type = list(object({
**Tip:**
Use `metrics_filter` to optimize your monitoring setup by collecting only the metrics that matter most to your use case. This can help reduce costs and improve performance.
+
+## `prometheus_config`
+
+The `prometheus_config` variable allows you to enable sysdig agent to scrape metrics from processes that expose Prometheus metric endpoints on its own host and send findings to the Sysdig collector for storing and further processing.
+
+### Type
+
+```hcl
+map(any)
+```
+
+### Example Usage
+
+```hcl
+{
+ scrape_configs = [
+ {
+ job_name = "testing-prometheus-scrape"
+ tls_config = {
+ insecure_skip_verify = true
+ }
+ kubernetes_sd_configs = [
+ {
+ role = "pod"
+ }
+ ]
+ relabel_configs = [
+ {
+ action = "keep"
+ source_labels = ["__meta_kubernetes_pod_host_ip"]
+ regex = "__HOSTIPS__"
+ },
+ {
+ action = "drop"
+ source_labels = ["__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"]
+ regex = "true"
+ },
+ {
+ source_labels = ["__meta_kubernetes_pod_phase"]
+ action = "keep"
+ regex = "Running"
+ }
+ ]
+ }
+ ]
+}
+```
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 22a8e90d..be37bdc9 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -235,7 +235,7 @@ variable "agent_limits_memory" {
variable "enable_universal_ebpf" {
type = bool
- description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
+ description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)."
default = true
}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 7797e10e..67edf624 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -112,7 +112,6 @@ func TestFullyConfigurableSolution(t *testing.T) {
WaitJobCompleteMinutes: 60,
Region: region,
})
-
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
{Name: "instance_region", Value: region, DataType: "string"},
@@ -239,7 +238,6 @@ func TestRunAgentVpcKubernetes(t *testing.T) {
},
CloudInfoService: sharedInfoSvc,
})
-
output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
diff --git a/variables.tf b/variables.tf
index 2c9699f6..e12d47ce 100644
--- a/variables.tf
+++ b/variables.tf
@@ -236,7 +236,7 @@ variable "agent_limits_memory" {
variable "enable_universal_ebpf" {
type = bool
- description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf"
+ description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
default = true
}
@@ -290,6 +290,13 @@ variable "container_filter" {
}
}
+variable "prometheus_config" {
+ description = "Prometheus configuration for the agent. If you want to enable Prometheus configuration provide the prometheus.yaml file content in `hcl` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus_config)."
+ type = map(any)
+ default = {}
+ nullable = false
+}
+
##############################################################################
# SCC-WP related variables
##############################################################################