Terraform

Deploy the orchestrator agent and workload agent components on ECS Fargate using Terraform.

Prerequisites

Deploy the Agent Components

  1. Set up the AWS Terraform provider:

    provider "aws" {
      region = var.region
    }
    
  2. Configure the Sysdig orchestrator module and deploy it for each VPC that needs instrumentation:

    module "fargate-orchestrator-agent" {
      source  = "sysdiglabs/fargate-orchestrator-agent/aws"
      version = "0.2.0"
    
      vpc_id           = var.vpc_id
      subnets          = [var.subnet_a_id, var.subnet_b_id]
    
      access_key       = var.access_key
    
      collector_host   = var.collector_host
      collector_port   = var.collector_port
    
      name             = "sysdig-orchestrator"
      agent_image      = "quay.io/sysdig/orchestrator-agent:latest"
    
      # True if the VPC uses an InternetGateway, false otherwise
      assign_public_ip = true
    
      tags = {
        description    = "Sysdig Serverless Agent Orchestrator"
      }
    }
    
  3. Set up the Sysdig Terraform provider:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
          version = ">= 0.5.39"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_api_token = var.secure_api_token
    }
    
  4. Pass the orchestrator host, port, and container definitions of your workload to the sysdig_fargate_workload_agent data source.

    Note: The input container definitions must be in JSON format:

    data "sysdig_fargate_workload_agent" "instrumented" {
      container_definitions = jsonencode([...])
    
      sysdig_access_key     = var.access_key
    
      workload_agent_image  = "quay.io/sysdig/workload-agent:latest"
    
      orchestrator_host     = module.fargate-orchestrator-agent.orchestrator_host
      orchestrator_port     = module.fargate-orchestrator-agent.orchestrator_port
    }
    
  5. Include the instrumented JSON in your Fargate task definition and deploy your instrumented workload:

    resource "aws_ecs_task_definition" "fargate_task" {
      ...
    
      network_mode             = "awsvpc"
      requires_compatibilities = ["FARGATE"]
    
      container_definitions    = "${data.sysdig_fargate_workload_agent.instrumented.output_container_definitions}"
    }
    

The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.

For the images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, or the instrumentation will not be completed.

Upgrade the Agent Components

The Orchestrator and Workload agents can be upgraded individually by redeploying their respective stacks. If the stacks were deploying using the latest tag, simplying redeploying the existing Terraform will reference the new versions.

Orchestrator Agent

The Orchestrator Agent running in a stack can be updated by modifying the agent_image version in the module if the version was explicitly defined.

module "fargate-orchestrator-agent" {
  ...
  agent_image = "quay.io/sysdig/orchestrator-agent:4.2.0" -> "quay.io/sysdig/orchestrator-agent:4.2.1"
  ...
}

Workload Agent

The Orchestrator Agent running in a stack can be updated by modifying the agent_image version in the module if the version was explicitly defined.

data "sysdig_fargate_workload_agent" "containers_instrumented" {
  ...
  workload_agent_image = "quay.io/sysdig/workload-agent:4.2.0" -> "quay.io/sysdig/workload-agent:4.2.1"
  ...
}

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.