Terraform Provider

Sysdig provides a Terraform Provider to expose and use some of the most common Sysdig API functions for

  • Sysdig Overall Platform (sysdig user, …)
  • Sysdig Secure (policies, rules, notification channels, …)
  • Sysdig Monitor (alerts, dashboard, notificaion channels, …)

Learn more about using the provider in the official Terraform Registry - Sysdig Provider repository.

Or deliver feedback/pull requests in the Sysdig Terraform Provider Source Github Repository

What is Terraform

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.

Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure or configuration.

As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied.

Terraform Provider for Sysdig

The Terraform Provider for Sysdig allows you to manage your configuration in Sysdig Secure and Sysdig Monitor as code, allowing you to synchronize your declarative configuration with the configuration at the Platform.

You can instrument several use cases like:

  • Backup/restore
  • Disaster recovery
  • Configuration version management

Installation

Follow Terraform Registry - Sysdig Provider official instructions.

Creating resources with Terraform

This is an example to create a pair of rules able to detect SSH connections and shells spawned in containers.

Start by defining a couple of rules in the rules.tf file. One rule will detect inbound and outbound connections made to the port 22, and the other will detect a shell process being spawned.

For more information about the configuration blocks, see: https://www.terraform.io/docs/configuration/syntax.html

resource "sysdig_secure_rule_network" "disallowed_ssh_connection" {
  name           = "Disallowed SSH Connection detected"
  description    = "Detect any new ssh connection to a host"
  tags           = ["network"]

  block_inbound  = true
  block_outbound = true

  tcp {
    matching     = true
    ports        = [22]
  }
}

resource "sysdig_secure_rule_process" "terminal_shell" {
  name        = "Terminal shell detected"
  description = "A shell was used as the entrypoint/exec point"
  tags        = ["shell"]

  processes   = ["ash", "bash", "csh", "ksh", "sh", "tcsh", "zsh", "dash"]
}

Now create a policy in a file called policy.tf to define how these rules are applied. The policy will stop the affected container and trigger a capture for further troubleshooting.

resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" {
  name        = "Terminal shell or SSH detected in container"
  description = "Detects a terminal shell or a ssh spawned in a container"
  enabled     = true
  severity    = 0 // HIGH
  scope       = "container.id != \"\""
  rule_names  = [sysdig_secure_rule_network.disallowed_ssh_connection.name,
                 sysdig_secure_rule_process.terminal_shell.name]

  actions {
    container               = "stop"
    capture {
      seconds_before_event  = 5
      seconds_after_event   = 10
    }
  }
}

With the given scope, the policy will only be applied to processes being executed inside containers:

scope = "container.id != \"\""

Using terraform apply the resources are applied in the backend:

Terraform tells us that is going to create 3 resources, which matches what we defined in rules.tf and policy.tf.

After applying the plan, Terraform reports that the 3 resources have been successfully created. The policy uses the rules created before, that’s why it’s the last one being created.

The resources have been created, this is how they look in Sysdig Secure:

But now the problem is that, if this policy triggers there’s no alert notice unless notification channels are defined. Creating two notification channels, one for the email and another one for slack in a file called notification.tf, will alert us when the policy is triggered:

resource "sysdig_secure_notification_channel_email" "devops-email" {
  name                 = "DevOps e-mail"
  enabled              = true
  recipients           = "devops@example.com"
  notify_when_ok       = false
  notify_when_resolved = false
}

resource "sysdig_secure_notification_channel_slack" "devops-slack" {
  name                 = "DevOps Slack"
  enabled              = true
  url                  = "https://hooks.slack.com/services/32klj54h2/34hjkhhsd/wjkkrjwlqpfdirej4jrlwkjx"
  channel              = "#devops"
  notify_when_ok       = false
  notify_when_resolved = false
}

Bind them to the policy, modifying the file policy.tf; note the notification_channels property:

resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" {
  name        = "Terminal shell or SSH detected in container"
  description = "Detects a terminal shell or a ssh spawned in a container"
  enabled     = true
  severity    = 0 // HIGH
  scope       = "container.id != \"\""
  rule_names  = [sysdig_secure_rule_network.disallowed_ssh_connection.name,
                 sysdig_secure_rule_process.terminal_shell.name]

  actions {
    container               = "stop"
    capture {
      seconds_before_event  = 5
      seconds_after_event   = 10
    }
  }

  notification_channels = [sysdig_secure_notification_channel_email.devops-email.id,
                           sysdig_secure_notification_channel_slack.devops-slack.id]
}

Finally, doing a terraform apply, it will inform that it will create 2 new resources and modify the existing policy:

After inputting yes, Terraform will create the notification channels and bind them to the policy, ensuring that the state in Monitor and Secure matches our state defined in the code.

This is how the resources appear on the Sysdig Secure UI:

Now, if someone tries to update it manually, by re-applying the policies, Terraform will restore the desired status from the .tf manifests.

Full Terraform resources documentation

Check all the available resources and datasources for the Terraform Provider for Sysdig in the Official Terraform Registry