Terraform Provider

Sysdig provides a Terraform Provider to expose and use some of the most common Sysdig API functions for

  • Sysdig Platform
  • Sysdig Secure
  • Sysdig Monitor

Learn more about using the provider in the official Terraform Registry - Sysdig Provider repository.

You can also provide feedback or create pull requests in the Sysdig Terraform Provider Source Github Repository

Using Terraform

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.

Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure or configuration.

As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied.

Terraform Provider for Sysdig

The Terraform Provider for Sysdig allows you to manage your configuration in Sysdig Secure and Sysdig Monitor as code, allowing you to synchronize your declarative configuration with the configuration at the Platform.

You can instrument several use cases like:

  • Backup/restore
  • Disaster recovery
  • Configuration version management

Installation

Follow Terraform Registry - Sysdig Provider official instructions.

Create Resources with Terraform

This is an example to create a pair of rules able to detect SSH connections and shells spawned in containers.

  1. Define a couple of rules in the rules.tf file. One rule to detect inbound and outbound connections made to the port 22, and the other to detect a shell process being spawned.

    resource "sysdig_secure_rule_network" "disallowed_ssh_connection" {
      name           = "Disallowed SSH Connection detected"
      description    = "Detect any new ssh connection to a host"
      tags           = ["network"]
    
      block_inbound  = true
      block_outbound = true
    
      tcp {
        matching     = true
        ports        = [22]
      }
    }
    
    resource "sysdig_secure_rule_process" "terminal_shell" {
      name        = "Terminal shell detected"
      description = "A shell was used as the entrypoint/exec point"
      tags        = ["shell"]
    
      processes   = ["ash", "bash", "csh", "ksh", "sh", "tcsh", "zsh", "dash"]
    }
    

    For more information about the configuration blocks, see Terraform Syntax.

  2. Create a policy in a file called policy.tf to define how these rules are applied. The policy will stop the affected container and trigger a capture for further troubleshooting.

    resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" {
      name        = "Terminal shell or SSH detected in container"
      description = "Detects a terminal shell or a ssh spawned in a container"
      enabled     = true
      severity    = 0 // HIGH
      scope       = "container.id != \"\""
      rule_names  = [sysdig_secure_rule_network.disallowed_ssh_connection.name,
                     sysdig_secure_rule_process.terminal_shell.name]
    
      actions {
        container               = "stop"
        capture {
          seconds_before_event  = 5
          seconds_after_event   = 10
        }
      }
    }
    

    With the given scope, the policy will only be applied to processes being executed inside containers:

    scope = "container.id != \"\""
    
  3. Perfrom terraform apply.

    Using terraform apply the resources are applied in the backend:

    Terraform reports that three resources will be created, which matches what you defined in rules.tf and policy.tf.

  4. After applying the plan, ensure that Terraform reports about the resource creation.

    The policy uses the rules created before, therefore, it’s the last one being created.

    When the resources have been created, they appear as follows in the Sysdig Secure UI.

    However, if this policy triggers no alert notification unless you create notification channels.

  5. Create two notification channels, one for the email and another one for slack in a file called notification.tf.

    resource "sysdig_secure_notification_channel_email" "devops-email" {
      name                 = "DevOps e-mail"
      enabled              = true
      recipients           = "devops@example.com"
      notify_when_ok       = false
      notify_when_resolved = false
    }
    
    resource "sysdig_secure_notification_channel_slack" "devops-slack" {
      name                 = "DevOps Slack"
      enabled              = true
      url                  = "https://hooks.slack.com/services/xyz"
      channel              = "#devops"
      notify_when_ok       = false
      notify_when_resolved = false
    }
    

    They will alert when the policy is triggered.

  6. Bind them to the policy by modifying the policy.tf file. Note the notification_channels property:

    resource "sysdig_secure_policy" "terminal_shell_or_ssh_in_container" {
      name        = "Terminal shell or SSH detected in container"
      description = "Detects a terminal shell or a ssh spawned in a container"
      enabled     = true
      severity    = 0 // HIGH
      scope       = "container.id != \"\""
      rule_names  = [sysdig_secure_rule_network.disallowed_ssh_connection.name,
                     sysdig_secure_rule_process.terminal_shell.name]
    
      actions {
        container               = "stop"
        capture {
          seconds_before_event  = 5
          seconds_after_event   = 10
        }
      }
    
      notification_channels = [sysdig_secure_notification_channel_email.devops-email.id,
                               sysdig_secure_notification_channel_slack.devops-slack.id]
    }
    
  7. Perform terraform apply.

    Terraform will create two new resources and modify the existing policy

  8. Choose yes.

    Terraform will create the notification channels and bind them to the policy, ensuring that the state in Monitor and Secure matches our state defined in the code.

    This is how the resources appear on the Sysdig Secure UI:

Now, if you try to update it manually, by re-applying the policies, Terraform will restore the desired status from the .tf manifests.

Learn More

Check all the available resources and datasources for the Terraform Provider for Sysdig in the official Terraform Registry.