feat: added support for prometheus metrics scraping

README.md

@@ -135,7 +135,7 @@ No modules.
 | <a name="input_deployment_tag"></a> [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
 | <a name="input_enable_host_scanner"></a> [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
 | <a name="input_enable_kspm_analyzer"></a> [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
-| <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf | `bool` | `true` | no |
+| <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no |
 | <a name="input_existing_access_key_secret_name"></a> [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
 | <a name="input_image_registry_base_url"></a> [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull all images from. For example `icr.io` or `quay.io`. | `string` | `"icr.io"` | no |
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
@@ -146,6 +146,7 @@ No modules.
 | <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the agent helm release. | `string` | `"sysdig-agent"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace to deploy the agent to. | `string` | `"ibm-observe"` | no |
+| <a name="input_prometheus"></a> [prometheus](#input\_prometheus) | Prometheus configuration for the agent. If you want to enable Prometheus configuration, set `file` to true and provide the prometheus.yaml file content in `yaml`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus). | <pre>object({<br/>    file = bool<br/>    yaml = map(any)<br/>  })</pre> | <pre>{<br/>  "file": false,<br/>  "yaml": {}<br/>}</pre> | no |
 | <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | List of tolerations to apply to the agent. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  },<br/>  {<br/>    "effect": "NoSchedule",<br/>    "key": "node-role.kubernetes.io/master",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
 | <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. | `bool` | `true` | no |
 | <a name="input_use_scc_wp_endpoint"></a> [use\_scc\_wp\_endpoint](#input\_use\_scc\_wp\_endpoint) | By default an IBM Cloud Monitoring endpoint is used and is constructed from the `instance_region` and `use_private_endpoint` inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. | `bool` | `false` | no |

ibm_catalog.json

@@ -302,6 +302,9 @@
                 "original_grouping": "deployment"
               }
             },
+            {
+              "key": "prometheus"
+            },
             {
               "key": "cluster_config_endpoint_type",
               "options": [

main.tf

@@ -253,6 +253,12 @@ resource "helm_release" "cloud_monitoring_agent" {
         "path": "/tmp"
       "name": "tmp-vol"
 %{endif~}
+  "prometheus":
+    "file": ${var.prometheus.file}
+    "yaml":
+%{for line in split("\n", yamlencode(var.prometheus.yaml))~}
+      ${line}
+%{endfor~}
 EOT
   ]
 

solutions/fully-configurable/DA-types.md

@@ -47,3 +47,56 @@ type = list(object({
 
 **Tip:**
 Use `metrics_filter` to optimize your monitoring setup by collecting only the metrics that matter most to your use case. This can help reduce costs and improve performance.
+
+## `prometheus`
+
+The `prometheus` variable allows you to enable sysdig agent to scrape metrics from processes that expose Prometheus metric endpoints on its own host and send findings to the Sysdig collector for storing and further processing.
+
+### Type
+
+```hcl
+object({
+    file = bool
+    yaml = map(any)
+  })
+```
+
+### Example Usage
+
+```hcl
+{
+  file = true
+  yaml = {
+    scrape_configs = [
+      {
+        job_name = "testing-prometheus-scrape"
+        tls_config = {
+          insecure_skip_verify = true
+        }
+        kubernetes_sd_configs = [
+          {
+            role = "pod"
+          }
+        ]
+        relabel_configs = [
+          {
+            action = "keep"
+            source_labels = ["__meta_kubernetes_pod_host_ip"]
+            regex = "__HOSTIPS__"
+          },
+          {
+            action = "drop"
+            source_labels = ["__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"]
+            regex = "true"
+          },
+          {
+            source_labels = ["__meta_kubernetes_pod_phase"]
+            action = "keep"
+            regex = "Running"
+          }
+        ]
+      }
+    ]
+  }
+}
+```

solutions/fully-configurable/main.tf

@@ -28,6 +28,7 @@ module "monitoring_agent" {
   blacklisted_ports               = var.blacklisted_ports
   metrics_filter                  = var.metrics_filter
   container_filter                = var.container_filter
+  prometheus                      = var.prometheus
   tolerations                     = var.tolerations
   chart                           = var.chart
   chart_location                  = var.chart_location

solutions/fully-configurable/variables.tf

@@ -235,7 +235,7 @@ variable "agent_limits_memory" {
 
 variable "enable_universal_ebpf" {
   type        = bool
-  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
+  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)."
   default     = true
 }
 
@@ -278,6 +278,24 @@ variable "container_filter" {
   }
 }
 
+variable "prometheus" {
+  description = "Prometheus configuration for the agent. If you want to enable Prometheus configuration, set `file` to true and provide the prometheus.yaml file content in `yaml`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus)."
+  type = object({
+    file = bool
+    yaml = map(any)
+  })
+  default = {
+    file = false
+    yaml = {}
+  }
+  validation {
+    condition = (
+      var.prometheus.file == false || length(keys(var.prometheus.yaml)) > 0
+    )
+    error_message = "If prometheus.file is true, 'yaml' must be a non-empty map."
+  }
+}
+
 ##############################################################################
 # SCC-WP related variables
 ##############################################################################

tests/pr_test.go

@@ -113,12 +113,49 @@ func TestFullyConfigurableSolution(t *testing.T) {
 			Region:                 region,
 		})
 
+		prometheus := map[string]interface{}{
+			"file": true,
+			"yaml": map[string]interface{}{
+
+				"scrape_configs": []map[string]interface{}{
+					{
+						"job_name": "testing-prometheus-scrape",
+						"tls_config": map[string]interface{}{
+							"insecure_skip_verify": true,
+						},
+						"kubernetes_sd_configs": []map[string]interface{}{
+							{
+								"role": "pod",
+							},
+						},
+						"relabel_configs": []map[string]interface{}{
+							{
+								"action":        "keep",
+								"source_labels": []string{"__meta_kubernetes_pod_host_ip"},
+								"regex":         "__HOSTIPS__",
+							},
+							{
+								"action":        "drop",
+								"source_labels": []string{"__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"},
+								"regex":         true,
+							},
+							{
+								"action":        "keep",
+								"source_labels": []string{"__meta_kubernetes_pod_phase"},
+								"regex":         "Running",
+							},
+						},
+					},
+				},
+			},
+		}
 		options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 			{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 			{Name: "instance_region", Value: region, DataType: "string"},
 			{Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_id"), DataType: "string"},
 			{Name: "cluster_resource_group_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_resource_group_id"), DataType: "string"},
 			{Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string", Secure: true},
+			{Name: "prometheus", Value: prometheus, DataType: "object{}", Secure: true},
 		}
 
 		err := options.RunSchematicTest()

variables.tf

@@ -236,7 +236,7 @@ variable "agent_limits_memory" {
 
 variable "enable_universal_ebpf" {
   type        = bool
-  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf"
+  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
   default     = true
 }
 
@@ -280,6 +280,24 @@ variable "container_filter" {
   }
 }
 
+variable "prometheus" {
+  description = "Prometheus configuration for the agent. If you want to enable Prometheus configuration, set `file` to true and provide the prometheus.yaml file content in `yaml`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus)."
+  type = object({
+    file = bool
+    yaml = map(any)
+  })
+  default = {
+    file = false
+    yaml = {}
+  }
+  validation {
+    condition = (
+      var.prometheus.file == false || length(keys(var.prometheus.yaml)) > 0
+    )
+    error_message = "If prometheus.file is true, 'yaml' must be a non-empty map."
+  }
+}
+
 ##############################################################################
 # SCC-WP related variables
 ##############################################################################