feat: added support for prometheus metrics scraping

README.md

@@ -135,7 +135,7 @@ No modules.
 | <a name="input_deployment_tag"></a> [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
 | <a name="input_enable_host_scanner"></a> [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
 | <a name="input_enable_kspm_analyzer"></a> [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
-| <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf | `bool` | `true` | no |
+| <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no |
 | <a name="input_existing_access_key_secret_name"></a> [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
 | <a name="input_image_registry_base_url"></a> [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull all images from. For example `icr.io` or `quay.io`. | `string` | `"icr.io"` | no |
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
@@ -146,6 +146,7 @@ No modules.
 | <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the agent helm release. | `string` | `"sysdig-agent"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace to deploy the agent to. | `string` | `"ibm-observe"` | no |
+| <a name="input_prometheus_config"></a> [prometheus\_config](#input\_prometheus\_config) | Prometheus configuration for the agent. If you want to enable Prometheus configuration provide the prometheus.yaml file content in `hcl` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus). | `map(any)` | `{}` | no |
 | <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | List of tolerations to apply to the agent. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  },<br/>  {<br/>    "effect": "NoSchedule",<br/>    "key": "node-role.kubernetes.io/master",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
 | <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. | `bool` | `true` | no |
 | <a name="input_use_scc_wp_endpoint"></a> [use\_scc\_wp\_endpoint](#input\_use\_scc\_wp\_endpoint) | By default an IBM Cloud Monitoring endpoint is used and is constructed from the `instance_region` and `use_private_endpoint` inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. | `bool` | `false` | no |

examples/obs-agent-iks/main.tf

@@ -145,4 +145,5 @@ module "monitoring_agents" {
   is_vpc_cluster            = var.is_vpc_cluster
   access_key                = module.cloud_monitoring.access_key
   instance_region           = var.region
+  prometheus_config         = var.prometheus_config
 }

examples/obs-agent-iks/variables.tf

@@ -39,3 +39,9 @@ variable "datacenter" {
   description = "If creating a classic cluster, the data center where the cluster is created"
   default     = "syd01"
 }
+
+variable "prometheus_config" {
+  description = "Prometheus configuration for the agent. If you want to enable Prometheus configuration provide the prometheus.yaml file content in `hcl` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus)."
+  type        = map(any)
+  default     = {}
+}

main.tf

@@ -253,6 +253,12 @@ resource "helm_release" "cloud_monitoring_agent" {
         "path": "/tmp"
       "name": "tmp-vol"
 %{endif~}
+  "prometheus":
+    "file": ${length(var.prometheus_config) > 0}
+    "yaml":
+%{for line in split("\n", yamlencode(var.prometheus_config))~}
+      ${line}
+%{endfor~}
 EOT
   ]
 

solutions/fully-configurable/DA-types.md

@@ -47,3 +47,53 @@ type = list(object({
 
 **Tip:**
 Use `metrics_filter` to optimize your monitoring setup by collecting only the metrics that matter most to your use case. This can help reduce costs and improve performance.
+
+## `prometheus_config`
+
+The `prometheus_config` variable allows you to enable sysdig agent to scrape metrics from processes that expose Prometheus metric endpoints on its own host and send findings to the Sysdig collector for storing and further processing.
+
+### Type
+
+```hcl
+object({
+    file = bool
+    yaml = map(any)
+  })
+```
+
+### Example Usage
+
+```hcl
+config = {
+  scrape_configs = [
+    {
+      job_name = "testing-prometheus-scrape"
+      tls_config = {
+        insecure_skip_verify = true
+      }
+      kubernetes_sd_configs = [
+        {
+          role = "pod"
+        }
+      ]
+      relabel_configs = [
+        {
+          action = "keep"
+          source_labels = ["__meta_kubernetes_pod_host_ip"]
+          regex = "__HOSTIPS__"
+        },
+        {
+          action = "drop"
+          source_labels = ["__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"]
+          regex = "true"
+        },
+        {
+          source_labels = ["__meta_kubernetes_pod_phase"]
+          action = "keep"
+          regex = "Running"
+        }
+      ]
+    }
+  ]
+}
+```

solutions/fully-configurable/variables.tf

@@ -235,7 +235,7 @@ variable "agent_limits_memory" {
 
 variable "enable_universal_ebpf" {
   type        = bool
-  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
+  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)."
   default     = true
 }
 

tests/pr_test.go

@@ -112,7 +112,6 @@ func TestFullyConfigurableSolution(t *testing.T) {
 			WaitJobCompleteMinutes: 60,
 			Region:                 region,
 		})
-
 		options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 			{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 			{Name: "instance_region", Value: region, DataType: "string"},
@@ -240,6 +239,41 @@ func TestRunAgentVpcKubernetes(t *testing.T) {
 		CloudInfoService: sharedInfoSvc,
 	})
 
+	prometheus_config := map[string]interface{}{
+
+		"scrape_configs": []map[string]interface{}{
+			{
+				"job_name": "testing-prometheus-scrape",
+				"tls_config": map[string]interface{}{
+					"insecure_skip_verify": true,
+				},
+				"kubernetes_sd_configs": []map[string]interface{}{
+					{
+						"role": "pod",
+					},
+				},
+				"relabel_configs": []map[string]interface{}{
+					{
+						"action":        "keep",
+						"source_labels": []string{"__meta_kubernetes_pod_host_ip"},
+						"regex":         "__HOSTIPS__",
+					},
+					{
+						"action":        "drop",
+						"source_labels": []string{"__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit"},
+						"regex":         true,
+					},
+					{
+						"action":        "keep",
+						"source_labels": []string{"__meta_kubernetes_pod_phase"},
+						"regex":         "Running",
+					},
+				},
+			},
+		},
+	}
+
+	options.TerraformVars["prometheus_config"] = prometheus_config
 	output, err := options.RunTestConsistency()
 	assert.Nil(t, err, "This should not have errored")
 	assert.NotNil(t, output, "Expected some output")

variables.tf

@@ -236,7 +236,7 @@ variable "agent_limits_memory" {
 
 variable "enable_universal_ebpf" {
   type        = bool
-  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf"
+  description = "Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf)"
   default     = true
 }
 
@@ -290,6 +290,12 @@ variable "container_filter" {
   }
 }
 
+variable "prometheus_config" {
+  description = "Prometheus configuration for the agent. If you want to enable Prometheus configuration provide the prometheus.yaml file content in `hcl` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-types.md#prometheus)."
+  type        = map(any)
+  default     = {}
+}
+
 ##############################################################################
 # SCC-WP related variables
 ##############################################################################