This module supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:
- Metrics monitoring with IBM Cloud Monitoring
- Security and compliance with IBM Cloud Security and Compliance Center Workload Protection
- Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.
- You can use the terraform-ibm-cloud-monitoring module to provision a new instance of IBM Cloud Monitoring
- You can use the terraform-ibm-scc-workload-protection module to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This module has an input called
cloud_monitoring_instance_crn
which allows you to create a connection between instances. - Both instances must be in the same region.
- You can connect only one Monitoring instance to one Workload Protection instance.
- Connections can only be established between two new instances or between one new and one existing instance.
#############################################################################
# Initialize cluster config for helm provider
#############################################################################
data "ibm_container_cluster_config" "cluster_config" {
cluster_name_id = "REPLACE" # Replace with name of ID of cluster
}
#############################################################################
# Configure providers
#############################################################################
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXXXXXXXXX" # Replace with IBM Cloud api key
}
provider "helm" {
kubernetes {
host = data.ibm_container_cluster_config.cluster_config.host
token = data.ibm_container_cluster_config.cluster_config.token
cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
}
}
#############################################################################
# Install agent
#############################################################################
module "monitoring_agent" {
source = "terraform-ibm-modules/monitoring-agent/ibm"
version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
is_vpc_cluster = true # Change to false if target cluster is running on classic infrastructure
cluster_id = "REPLACE"
cluster_resource_group_id = "REPLACE"
access_key = "XXXXXXXX"
instance_region = "us-south" # enter region of Cloud Monitoring / SCC-WP instance
}
You need the following permissions to run this module.
- Service
- Resource group only
Viewer
access on the specific resource group
- Kubernetes service
Viewer
platform accessManager
service access
- Resource group only
Name | Version |
---|---|
terraform | >= 1.9.0 |
helm | >= 2.15.0, <3.0.0 |
ibm | >= 1.79.2, <2.0.0 |
No modules.
Name | Type |
---|---|
helm_release.cloud_monitoring_agent | resource |
ibm_container_cluster.cluster | data source |
ibm_container_cluster_config.cluster_config | data source |
ibm_container_vpc_cluster.cluster | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_key | Access key used by the agent to communicate with the instance. Either access_key or existing_access_key_secret_name is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. |
string |
null |
no |
add_cluster_name | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format ibm-containers-kubernetes-cluster-name: cluster_name . |
bool |
true |
no |
agent_image_repository | The image repository to pull the agent image from. | string |
"agent-slim" |
no |
agent_image_tag_digest | The image tag or digest of agent image to use. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx . |
string |
"14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" |
no |
agent_limits_cpu | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | string |
"1" |
no |
agent_limits_memory | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | string |
"1024Mi" |
no |
agent_requests_cpu | Specify CPU resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | string |
"1" |
no |
agent_requests_memory | Specify memory resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | string |
"1024Mi" |
no |
agent_tags | Map of tags to associate to the agent. For example, {"environment": "production"}. NOTE: Use the add_cluster_name boolean variable to add the cluster name as a tag. |
map(string) |
{} |
no |
blacklisted_ports | To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports | list(number) |
[] |
no |
chart | The name of the Helm chart to deploy. Use chart_location to specify helm chart location. |
string |
"sysdig-deploy" |
no |
chart_location | The location of the agent helm chart. | string |
"https://charts.sysdig.com" |
no |
chart_version | The version of the agent helm chart to deploy. | string |
"1.90.0" |
no |
cluster_config_endpoint_type | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | string |
"default" |
no |
cluster_id | The ID of the cluster you wish to deploy the agent in. | string |
n/a | yes |
cluster_resource_group_id | The resource group ID of the cluster. | string |
n/a | yes |
cluster_shield_deploy | Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm. | bool |
true |
no |
cluster_shield_image_repository | The image repository to pull the Cluster Shield image from. | string |
"cluster-shield" |
no |
cluster_shield_image_tag_digest | The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx . |
string |
"1.13.0@sha256:0c8ee65a473e51b2a2c7bddf4e89008299cf203c50cd80fd97503cb121c1230a" |
no |
cluster_shield_limits_cpu | Specify CPU resource limits for the cluster shield pods. | string |
"1500m" |
no |
cluster_shield_limits_memory | Specify memory resource limits for the cluster shield pods. | string |
"1536Mi" |
no |
cluster_shield_requests_cpu | Specify CPU resource requests for the cluster shield pods. | string |
"500m" |
no |
cluster_shield_requests_memory | Specify memory resource requests for the cluster shield pods. | string |
"512Mi" |
no |
container_filter | Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data | list(object({ |
[] |
no |
deployment_tag | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | string |
"terraform" |
no |
enable_host_scanner | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | bool |
true |
no |
enable_kspm_analyzer | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | bool |
true |
no |
enable_universal_ebpf | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf | bool |
true |
no |
existing_access_key_secret_name | An alternative to using access_key . Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the namespace input. Either access_key or existing_access_key_secret_name is required. |
string |
null |
no |
image_registry_base_url | The image registry base URL to pull all images from. For example icr.io or quay.io . |
string |
"icr.io" |
no |
image_registry_namespace | The namespace within the image registry to pull all images from. | string |
"ext/sysdig" |
no |
instance_region | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | string |
n/a | yes |
is_vpc_cluster | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | bool |
true |
no |
kernal_module_image_repository | The image repository to pull the agent kernal module initContainer image from. | string |
"agent-kmodule" |
no |
kernel_module_image_tag_digest | The image tag or digest to use for the agent kernel module used by the initContainer. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx |
string |
"14.1.0@sha256:e58ff26bdda75f38b824005a55332cff3c641416e0a43b455e9afe1e059c6416" |
no |
metrics_filter | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | list(object({ |
[] |
no |
name | The name to give the agent helm release. | string |
"sysdig-agent" |
no |
namespace | Namespace to deploy the agent to. | string |
"ibm-observe" |
no |
tolerations | List of tolerations to apply to the agent. | list(object({ |
[ |
no |
use_private_endpoint | Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. | bool |
true |
no |
use_scc_wp_endpoint | By default an IBM Cloud Monitoring endpoint is used and is constructed from the instance_region and use_private_endpoint inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. |
bool |
false |
no |
wait_till | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported values are MasterNodeReady , OneWorkerNodeReady , IngressReady and Normal |
string |
"Normal" |
no |
wait_till_timeout | Timeout for wait_till in minutes. | number |
90 |
no |
No outputs.
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.