feat: add support for sysdig deploy params

README.md

@@ -103,8 +103,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the IBM Cloud Monitoring agent to communicate with the instance | `string` | n/a | yes |
+| <a name="input_access_key_secret_name"></a> [access\_key\_secret\_name](#input\_access\_key\_secret\_name) | The name of a Kubernetes or OpenShift Secret that contains the Sysdig agent access key under the key `access-key`. This variable allows you to reference an existing secret in your cluster, rather than providing the access key directly in your Terraform configuration. | `string` | `null` | no |
+| <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the Cloud Monitoring agent image from. | `string` | `"agent-slim"` | no |
 | <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent. | `string` | `"13.9.2@sha256:0dcdb6d70bab60dae4bf5f70c338f2feb9daeba514f1b8ad513ed24724c2a04d"` | no |
+| <a name="input_agent_limits_cpu"></a> [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specifies the CPU limit for the agent. | `string` | `"1"` | no |
+| <a name="input_agent_limits_memory"></a> [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specifies the memory limit for the agent. | `string` | `"1024Mi"` | no |
+| <a name="input_agent_requests_cpu"></a> [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specifies the CPU requested to run in a node for the agent. | `string` | `"1"` | no |
+| <a name="input_agent_requests_memory"></a> [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specifies the memory requested to run in a node for the agent. | `string` | `"1024Mi"` | no |
+| <a name="input_agent_tags"></a> [agent\_tags](#input\_agent\_tags) | Map of tags to associate to all metrics that the agent collects. NOTE: Use the `add_cluster_name` boolean variable to add the cluster name as a tag, e.g `{'environment': 'production'}.` | `map(string)` | `{}` | no |
+| <a name="input_blacklisted_ports"></a> [blacklisted\_ports](#input\_blacklisted\_ports) | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_block_ports). | `list(number)` | `[]` | no |
 | <a name="input_chart"></a> [chart](#input\_chart) | The name of the Helm chart to deploy. | `string` | `"sysdig-deploy"` | no |
 | <a name="input_chart_location"></a> [chart\_location](#input\_chart\_location) | The location of the Cloud Monitoring agent helm chart. | `string` | `"https://charts.sysdig.com"` | no |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The version of the Cloud Monitoring agent helm chart to deploy. | `string` | `"1.85.1"` | no |
@@ -119,7 +127,7 @@ No modules.
 | <a name="input_is_vpc_cluster"></a> [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster for the monitoring agent is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
 | <a name="input_kernal_module_image_repository"></a> [kernal\_module\_image\_repository](#input\_kernal\_module\_image\_repository) | The image repository to pull the Cloud Monitoring agent kernal module initContainer image from. | `string` | `"agent-kmodule"` | no |
 | <a name="input_kernel_module_image_tag_digest"></a> [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image tag digest to use for the Cloud Monitoring agent kernel module used by the initContainer. | `string` | `"13.9.2@sha256:a6b301f24557c5e14ab5abe62577340e7ab33ce11f33cfcd4797296d1603184a"` | no |
-| <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics. | <pre>list(object({<br/>    type = string<br/>    name = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics, specify the Cloud Monitoring metrics to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics. | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Cloud Monitoring agent name. Used for naming all kubernetes and helm resources on the cluster. | `string` | `"sysdig-agent"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace where to deploy the Cloud Monitoring agent. Default value is 'ibm-observe' | `string` | `"ibm-observe"` | no |
 | <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | List of tolerations to apply to Cloud Monitoring agent. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  },<br/>  {<br/>    "effect": "NoSchedule",<br/>    "key": "node-role.kubernetes.io/master",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |

examples/obs-agent-ocp/main.tf

@@ -26,12 +26,20 @@ resource "ibm_is_vpc" "vpc" {
   tags                      = var.resource_tags
 }
 
+resource "ibm_is_public_gateway" "gateway" {
+  name           = "${var.prefix}-gateway-1"
+  vpc            = ibm_is_vpc.vpc.id
+  resource_group = module.resource_group.resource_group_id
+  zone           = "${var.region}-1"
+}
+
 resource "ibm_is_subnet" "subnet_zone_1" {
   name                     = "${var.prefix}-subnet-1"
   vpc                      = ibm_is_vpc.vpc.id
   resource_group           = module.resource_group.resource_group_id
   zone                     = "${var.region}-1"
   total_ipv4_address_count = 256
+  public_gateway           = ibm_is_public_gateway.gateway.id
 }
 
 ########################################################################################################################
@@ -104,9 +112,20 @@ module "monitoring_agents" {
   cluster_id                = module.ocp_base.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
   # Monitoring agent
-  access_key = module.cloud_monitoring.access_key
-  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  metrics_filter                   = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
-  container_filter                 = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  access_key                       = module.cloud_monitoring.access_key
   cloud_monitoring_instance_region = var.region
+  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
+  metrics_filter    = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+  container_filter  = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  blacklisted_ports = [1, 2, 3]
+  tolerations = [
+    {
+      operator = "Exists"
+    },
+    {
+      operator = "Exists"
+      effect   = "NoSchedule"
+      key      = "node-role.kubernetes.io/master"
+    }
+  ]
 }

examples/obs-agent-ocp/outputs.tf

@@ -2,10 +2,35 @@
 # Outputs
 ##############################################################################
 
-#output "myoutput" {
-#  description = "Description of my output"
-#  value       = "value"
-#  depends_on  = [<some resource>]
-#}
+output "region" {
+  description = "The region where the resources are deployed."
+  value       = var.region
+}
+
+output "cloud_monitoring_name" {
+  description = "The name of the IBM Cloud Monitoring instance."
+  value       = module.cloud_monitoring.name
+}
+
+output "cloud_monitoring_access_key" {
+  description = "The access key that is used by the IBM Cloud Monitoring agent to communicate with the instance."
+  value       = module.cloud_monitoring.access_key
+  sensitive   = true
+}
+
+output "cluster_name" {
+  description = "The name of the OpenShift cluster."
+  value       = module.ocp_base.cluster_name
+}
+
+output "cluster_id" {
+  description = "The ID of the OpenShift cluster."
+  value       = module.ocp_base.cluster_id
+}
+
+output "cluster_resource_group_id" {
+  description = "The resource group ID of the cluster."
+  value       = module.resource_group.resource_group_id
+}
 
 ##############################################################################

examples/obs-agent-ocp/variables.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "A prefix for the name of all resources that are created by this example"
-  default     = "obs-agent-ocp"
+  default     = "mon-agent"
 }
 
 variable "resource_group" {
@@ -31,7 +31,7 @@ variable "access_tags" {
 variable "region" {
   type        = string
   description = "The region where the resources are created."
-  default     = "au-syd"
+  default     = "us-south"
 }
 
 variable "ocp_version" {

ibm_catalog.json

@@ -158,6 +158,27 @@
             {
               "key": "namespace"
             },
+            {
+              "key": "access_key_secret_name"
+            },
+            {
+              "key": "add_cluster_name"
+            },
+            {
+              "key": "agent_tags"
+            },
+            {
+              "key": "agent_requests_cpu"
+            },
+            {
+              "key": "agent_limits_cpu"
+            },
+            {
+              "key": "agent_requests_memory"
+            },
+            {
+              "key": "agent_limits_memory"
+            },
             {
               "key": "tolerations"
             },
@@ -174,6 +195,9 @@
                 }
               ]
             },
+            {
+              "key": "blacklisted_ports"
+            },
             {
               "key": "metrics_filter"
             },

main.tf

@@ -65,11 +65,19 @@ resource "helm_release" "cloud_monitoring_agent" {
     name  = "agent.slim.enabled"
     value = true
   }
-  set {
+  set_sensitive {
     name  = "global.sysdig.accessKey"
     type  = "string"
     value = var.access_key
   }
+  dynamic "set" {
+    for_each = var.access_key_secret_name != null && var.access_key_secret_name != "" ? [1] : []
+    content {
+      name  = "global.sysdig.accessKeySecret"
+      type  = "string"
+      value = var.access_key_secret_name
+    }
+  }
   set {
     name  = "global.clusterConfig.name"
     type  = "string"
@@ -95,6 +103,26 @@ resource "helm_release" "cloud_monitoring_agent" {
     type  = "string"
     value = var.agent_image_tag_digest
   }
+  set {
+    name  = "agent.resources.requests.cpu"
+    type  = "string"
+    value = var.agent_requests_cpu
+  }
+  set {
+    name  = "agent.resources.requests.memory"
+    type  = "string"
+    value = var.agent_requests_memory
+  }
+  set {
+    name  = "agent.resources.limits.cpu"
+    type  = "string"
+    value = var.agent_limits_cpu
+  }
+  set {
+    name  = "agent.resources.limits.memory"
+    type  = "string"
+    value = var.agent_limits_memory
+  }
   set {
     name  = "agent.slim.kmoduleImage.digest"
     type  = "string"
@@ -107,13 +135,27 @@ resource "helm_release" "cloud_monitoring_agent" {
     value = false
   }
 
-  values = [yamlencode({
-    metrics_filter = var.metrics_filter
-    }), yamlencode({
-    tolerations = var.tolerations
-    }), yamlencode({
-    container_filter = var.container_filter
-  })]
+  # Values to be passed to the agent config map, e.g `kubectl describe configmap sysdig-agent -n ibm-observe`
+  values = [
+    yamlencode({
+      agent = {
+        sysdig = {
+          settings = {
+            blacklisted_ports = var.blacklisted_ports
+            metrics_filter    = var.metrics_filter
+            container_filter  = var.container_filter
+          }
+          tags = merge(
+            var.agent_tags,
+            var.add_cluster_name ? {
+              "ibm-containers-kubernetes-cluster-name" = local.cluster_name
+            } : {}
+          )
+        },
+        tolerations = var.tolerations
+      }
+    })
+  ]
 
   provisioner "local-exec" {
     command     = "${path.module}/scripts/confirm-rollout-status.sh ${var.name} ${var.namespace}"

solutions/fully-configurable/DA-types.md

@@ -0,0 +1,49 @@
+## `metrics_filter`
+
+The `metrics_filter` variable allows you to control which custom metrics are collected by the IBM Cloud Monitoring agent. You can specify patterns to **include** or **exclude** certain metrics, giving you fine-grained control over the data sent to IBM Cloud Monitoring.
+
+### Type
+
+```hcl
+type = list(object({
+  include = optional(string)
+  exclude = optional(string)
+}))
+```
+
+### Description
+
+- **Purpose:**
+  Use `metrics_filter` to specify which metrics to include or exclude from collection. This is useful for reducing noise, focusing on relevant metrics, or optimizing resource usage.
+
+- **How it works:**
+  Each entry in the list can have an `include` or `exclude` field (or both).
+  - The value should be a string pattern (supports wildcards, e.g., `metricA.*`).
+  - `exclude` takes precedence over `include` if both match a metric.
+
+- **Default:**
+  ```hcl
+  default = []
+  ```
+  By default, no filtering is applied—all metrics are collected.
+
+### Example Usage
+
+```hcl
+metrics_filter = [
+  { exclude = "kube_pod_container_status_terminated_reason_oomkilled" },
+  { include = "custom_metric_prefix.*" }
+]
+```
+
+- The above configuration will:
+  - Exclude all metrics matching `kube_pod_container_status_terminated_reason_oomkilled`
+  - Include all metrics starting with `custom_metric_prefix.`
+
+### References
+
+- [IBM Docs: Filter metrics](https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics)
+---
+
+**Tip:**
+Use `metrics_filter` to optimize your monitoring setup by collecting only the metrics that matter most to your use case. This can help reduce costs and improve performance.

solutions/fully-configurable/main.tf

@@ -22,6 +22,10 @@ module "monitoring_agent" {
   namespace                               = var.namespace
   cloud_monitoring_instance_endpoint_type = var.cloud_monitoring_instance_endpoint_type
   access_key                              = var.access_key
+  access_key_secret_name                  = var.access_key_secret_name
+  agent_tags                              = var.agent_tags
+  add_cluster_name                        = var.add_cluster_name
+  blacklisted_ports                       = var.blacklisted_ports
   metrics_filter                          = var.metrics_filter
   cloud_monitoring_instance_region        = var.cloud_monitoring_instance_region
   tolerations                             = var.tolerations
@@ -34,4 +38,8 @@ module "monitoring_agent" {
   agent_image_tag_digest                  = var.agent_image_tag_digest
   kernel_module_image_tag_digest          = var.kernel_module_image_tag_digest
   kernal_module_image_repository          = var.kernal_module_image_repository
+  agent_limits_cpu                        = var.agent_limits_cpu
+  agent_limits_memory                     = var.agent_limits_memory
+  agent_requests_cpu                      = var.agent_requests_cpu
+  agent_requests_memory                   = var.agent_requests_memory
 }