Terraform Provider
Sysdig provides a Terraform Provider to expose and use some of the most common Sysdig API functions for
- Sysdig Platform
- Sysdig Secure
- Sysdig Monitor
Learn more about using the provider in the official Terraform Registry - Sysdig Provider repository.
You can also provide feedback or create pull requests in the Sysdig Terraform Provider Source Github Repository
Using Terraform
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure or configuration.
As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied.
Terraform Provider for Sysdig
The Terraform Provider for Sysdig allows you to manage your configuration in Sysdig Secure and Sysdig Monitor as code, allowing you to synchronize your declarative configuration with the configuration at the Platform.
You can instrument several use cases like:
- Backup/restore
- Disaster recovery
- Configuration version management
Installation
Follow Terraform Registry - Sysdig Provider official instructions.
Create Resources with Terraform
This is an example to create a pair of rules able to detect SSH connections and shells spawned in containers.
Define a couple of rules in the
rules.tffile. One rule to detect inbound and outbound connections made to the port 22, and the other to detect a shell process being spawned.resource "sysdig_secure_rule_network" "disallowed_ssh_connection" { name = "Disallowed SSH Connection detected" description = "Detect any new ssh connection to a host" tags = ["network"] block_inbound = true block_outbound = true tcp { matching = true ports = [22] } } resource "sysdig_secure_rule_process" "terminal_shell" { name = "Terminal shell detected" description = "A shell was used as the entrypoint/exec point" tags = ["shell"] processes = ["ash", "bash", "csh", "ksh", "sh", "tcsh", "zsh", "dash"] }For more information about the configuration blocks, see Terraform Syntax.
Create a policy in a file called
policy.tfto define how these rules are applied. The policy will stop the affected container and trigger a capture for further troubleshooting.resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" { name = "Terminal shell or SSH detected in container" description = "Detects a terminal shell or a ssh spawned in a container" enabled = true severity = 0 // HIGH scope = "container.id != \"\"" rule_names = [sysdig_secure_rule_network.disallowed_ssh_connection.name, sysdig_secure_rule_process.terminal_shell.name] actions { container = "stop" capture { seconds_before_event = 5 seconds_after_event = 10 } } }With the given
scope, the policy will only be applied to processes being executed inside containers:scope = "container.id != \"\""Perfrom
terraform apply.Using
terraform applythe resources are applied in the backend:
Terraform reports that three resources will be created, which matches what you defined in
rules.tfandpolicy.tf.
After applying the plan, ensure that Terraform reports about the resource creation.
The policy uses the rules created before, therefore, it’s the last one being created.
When the resources have been created, they appear as follows in the Sysdig Secure UI.
However, if this policy triggers no alert notification unless you create notification channels.
Create two notification channels, one for the email and another one for slack in a file called
notification.tf.resource "sysdig_secure_notification_channel_email" "devops-email" { name = "DevOps e-mail" enabled = true recipients = "devops@example.com" notify_when_ok = false notify_when_resolved = false } resource "sysdig_secure_notification_channel_slack" "devops-slack" { name = "DevOps Slack" enabled = true url = "https://hooks.slack.com/services/xyz" channel = "#devops" notify_when_ok = false notify_when_resolved = false }They will alert when the policy is triggered.
Bind them to the policy by modifying the
policy.tffile. Note thenotification_channelsproperty:resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" { name = "Terminal shell or SSH detected in container" description = "Detects a terminal shell or a ssh spawned in a container" enabled = true severity = 0 // HIGH scope = "container.id != \"\"" rule_names = [sysdig_secure_rule_network.disallowed_ssh_connection.name, sysdig_secure_rule_process.terminal_shell.name] actions { container = "stop" capture { seconds_before_event = 5 seconds_after_event = 10 } } notification_channels = [sysdig_secure_notification_channel_email.devops-email.id, sysdig_secure_notification_channel_slack.devops-slack.id] }Perform
terraform apply.Terraform will create two new resources and modify the existing policy
Choose yes.
Terraform will create the notification channels and bind them to the policy, ensuring that the state in Monitor and Secure matches our state defined in the code.
This is how the resources appear on the Sysdig Secure UI:
Now, if you try to update it manually, by re-applying the policies, Terraform will restore the desired status from the .tf manifests.
Create Custom Controls with Terraform
This is an example to create a custom control to detect S3 Buckets without versioning enabled:
- Define the control in the
controls.tffile.
resource "sysdig_secure_posture_control" "s3_bucket_without_versioning" {
name = "S3 Bucket without versioning"
description = "Ensure that S3 object versioning is enabled for your Amazon S3 buckets in order to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention."
resource_kind = "AWS_S3_BUCKET"
severity = "High"
rego = <<-EOF
package sysdig
import future.keywords.if
import future.keywords.in
default risky := false
risky if {
count(input.Versioning) == 0
}
risky if {
some version in input.Versioning
lower(version.Status) != "enabled"
}
EOF
remediation_details = <<-EOF
## Remediation Impact
Versioning-enabled Amazon S3 buckets will allow you to preserve, retrieve, and restore every version of an S3 object. S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten by AWS users or applications and archiving previous versions of objects to Amazon S3 Glacier for long-term low-cost storage. With S3 versioning, you can easily recover from both unintended user actions and application failures.
## Remediate Using Command Line
1. Run put-bucket-versioning command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to enable S3 object versioning for the selected bucket. If the request is successful, the put-bucket-versioning command should not return an output:
```
aws s3api put-bucket-versioning --bucket cc-prod-web-data --versioning-configuration Status=Enabled
```
2. Repeat step no. 1 to enable S3 object versioning for other Amazon S3 buckets available within your AWS cloud account.
EOF
}
- Perform
terraform apply.
Te new control will appear in the Control Library and is ready to be used in custom policies.
Learn More
Check all the available resources and datasources for the Terraform Provider for Sysdig in the official Terraform Registry.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.