Skip to content

Files

Latest commit

cba4dde · Jul 29, 2025

History

History
166 lines (137 loc) · 18.9 KB
·

README.md

File metadata and controls

166 lines (137 loc) · 18.9 KB
·

IBM Cloud Monitoring and Workload Protection agent module

Graduated (Supported) pre-commit latest release Renovate enabled semantic-release

This module supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:

Key considerations

  • Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.
  • You can use the terraform-ibm-cloud-monitoring module to provision a new instance of IBM Cloud Monitoring
  • You can use the terraform-ibm-scc-workload-protection module to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This module has an input called cloud_monitoring_instance_crn which allows you to create a connection between instances.
  • Both instances must be in the same region.
  • You can connect only one Monitoring instance to one Workload Protection instance.
  • Connections can only be established between two new instances or between one new and one existing instance.

Overview

terraform-ibm-monitoring-agent

Usage

#############################################################################
# Initialize cluster config for helm provider
#############################################################################

data "ibm_container_cluster_config" "cluster_config" {
  cluster_name_id = "REPLACE" # Replace with name of ID of cluster
}

#############################################################################
# Configure providers
#############################################################################

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXXXXXXXXX" # Replace with IBM Cloud api key
}

provider "helm" {
  kubernetes {
    host                   = data.ibm_container_cluster_config.cluster_config.host
    token                  = data.ibm_container_cluster_config.cluster_config.token
    cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
  }
}

#############################################################################
# Install agent
#############################################################################

module "monitoring_agent" {
  source                     = "terraform-ibm-modules/monitoring-agent/ibm"
  version                    = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
  is_vpc_cluster             = true # Change to false if target cluster is running on classic infrastructure
  cluster_id                 = "REPLACE"
  cluster_resource_group_id  = "REPLACE"
  access_key                 = "XXXXXXXX"
  instance_region            = "us-south" # enter region of Cloud Monitoring / SCC-WP instance
}

Required IAM access policies

You need the following permissions to run this module.

  • Service
    • Resource group only
      • Viewer access on the specific resource group
    • Kubernetes service
      • Viewer platform access
      • Manager service access

Requirements

Name Version
terraform >= 1.9.0
helm >= 2.15.0, <3.0.0
ibm >= 1.79.2, <2.0.0

Modules

No modules.

Resources

Name Type
helm_release.cloud_monitoring_agent resource
ibm_container_cluster.cluster data source
ibm_container_cluster_config.cluster_config data source
ibm_container_vpc_cluster.cluster data source

Inputs

Name Description Type Default Required
access_key Access key used by the agent to communicate with the instance. Either access_key or existing_access_key_secret_name is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. string null no
add_cluster_name If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format ibm-containers-kubernetes-cluster-name: cluster_name. bool true no
agent_image_repository The image repository to pull the agent image from. string "agent-slim" no
agent_image_tag_digest The image tag or digest of agent image to use. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx. string "14.0.1@sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570" no
agent_limits_cpu Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements string "1" no
agent_limits_memory Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements string "1024Mi" no
agent_requests_cpu Specify CPU resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements string "1" no
agent_requests_memory Specify memory resource requests for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements string "1024Mi" no
agent_tags Map of tags to associate to the agent. For example, {"environment": "production"}. NOTE: Use the add_cluster_name boolean variable to add the cluster name as a tag. map(string) {} no
blacklisted_ports To block network traffic and metrics from network ports, pass the list of ports from which you want to filter out any data. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_agent#ports list(number) [] no
chart The name of the Helm chart to deploy. Use chart_location to specify helm chart location. string "sysdig-deploy" no
chart_location The location of the agent helm chart. string "https://charts.sysdig.com" no
chart_version The version of the agent helm chart to deploy. string "1.90.0" no
cluster_config_endpoint_type Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. string "default" no
cluster_id The ID of the cluster you wish to deploy the agent in. string n/a yes
cluster_resource_group_id The resource group ID of the cluster. string n/a yes
cluster_shield_deploy Deploy the Cluster Shield component to provide runtime detection and policy enforcement for Kubernetes workloads. If enabled, a Kubernetes Deployment will be deployed to your cluster using helm. bool true no
cluster_shield_image_repository The image repository to pull the Cluster Shield image from. string "cluster-shield" no
cluster_shield_image_tag_digest The image tag or digest to pull for the Cluster Shield component. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx. string "1.13.0@sha256:0c8ee65a473e51b2a2c7bddf4e89008299cf203c50cd80fd97503cb121c1230a" no
cluster_shield_limits_cpu Specify CPU resource limits for the cluster shield pods. string "1500m" no
cluster_shield_limits_memory Specify memory resource limits for the cluster shield pods. string "1536Mi" no
cluster_shield_requests_cpu Specify CPU resource requests for the cluster shield pods. string "500m" no
cluster_shield_requests_memory Specify memory resource requests for the cluster shield pods. string "512Mi" no
container_filter Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data
list(object({
type = string
parameter = string
name = string
}))
[] no
deployment_tag Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). string "terraform" no
enable_host_scanner Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. bool true no
enable_kspm_analyzer Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. bool true no
enable_universal_ebpf Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. Learn more: https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf bool true no
existing_access_key_secret_name An alternative to using access_key. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the namespace input. Either access_key or existing_access_key_secret_name is required. string null no
image_registry_base_url The image registry base URL to pull all images from. For example icr.io or quay.io. string "icr.io" no
image_registry_namespace The namespace within the image registry to pull all images from. string "ext/sysdig" no
instance_region The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. string n/a yes
is_vpc_cluster Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. bool true no
kernal_module_image_repository The image repository to pull the agent kernal module initContainer image from. string "agent-kmodule" no
kernel_module_image_tag_digest The image tag or digest to use for the agent kernel module used by the initContainer. If using digest, it must be in the format of X.Y.Z@sha256:xxxxx string "14.1.0@sha256:e58ff26bdda75f38b824005a55332cff3c641416e0a43b455e9afe1e059c6416" no
metrics_filter To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics
list(object({
include = optional(string)
exclude = optional(string)
}))
[] no
name The name to give the agent helm release. string "sysdig-agent" no
namespace Namespace to deploy the agent to. string "ibm-observe" no
tolerations List of tolerations to apply to the agent.
list(object({
key = optional(string)
operator = optional(string)
value = optional(string)
effect = optional(string)
tolerationSeconds = optional(number)
}))
[
{
"operator": "Exists"
},
{
"effect": "NoSchedule",
"key": "node-role.kubernetes.io/master",
"operator": "Exists"
}
]
no
use_private_endpoint Whether send data over a private endpoint or not. To use a private endpoint, you must enable virtual routing and forwarding (VRF) for your account. See https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint. bool true no
use_scc_wp_endpoint By default an IBM Cloud Monitoring endpoint is used and is constructed from the instance_region and use_private_endpoint inputs. To use an IBM Cloud Security and Compliance Center Workload Protection endpoint instead, set this to true. bool false no
wait_till To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported values are MasterNodeReady, OneWorkerNodeReady, IngressReady and Normal string "Normal" no
wait_till_timeout Timeout for wait_till in minutes. number 90 no

Outputs

No outputs.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.