Deploy the orchestrator agent and workload agent components on ECS Fargate using Terraform.


Deployment Steps

  1. Set up the AWS Terraform provider:

    provider "aws" {
      region = var.region
  2. Configure the Sysdig orchestrator module and deploy it for each VPC that needs instrumentation:

    module "fargate-orchestrator-agent" {
      source  = "sysdiglabs/fargate-orchestrator-agent/aws"
      version = "0.1.1"
      vpc_id           = var.vpc_id
      subnets          = [var.subnet_a_id, var.subnet_b_id]
      access_key       = var.access_key
      collector_host   = var.collector_host
      collector_port   = var.collector_port
      name             = "sysdig-orchestrator"
      agent_image      = "quay.io/sysdig/orchestrator-agent:latest"
      # True if the VPC uses an InternetGateway, false otherwise
      assign_public_ip = true
      tags = {
        description    = "Sysdig Serverless Agent Orchestrator"
  3. Set up the Sysdig Terraform provider:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
          version = ">= 0.5.39"
    provider "sysdig" {
      sysdig_secure_api_token = var.secure_api_token
  4. Pass the orchestrator host, port, and container definitions of your workload to the sysdig_fargate_workload_agent data source.

    Note: The input container definitions must be in JSON format:

    data "sysdig_fargate_workload_agent" "instrumented" {
      container_definitions = jsonencode([...])
      sysdig_access_key     = var.access_key
      workload_agent_image  = "quay.io/sysdig/workload-agent:latest"
      orchestrator_host     = module.fargate-orchestrator-agent.orchestrator_host
      orchestrator_port     = module.fargate-orchestrator-agent.orchestrator_port
  5. Include the instrumented JSON in your Fargate task definition and deploy your instrumented workload:

    resource "aws_ecs_task_definition" "fargate_task" {
      network_mode             = "awsvpc"
      requires_compatibilities = ["FARGATE"]
      container_definitions    = "${data.sysdig_fargate_workload_agent.instrumented.output_container_definitions}"

The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.

For the images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, or the instrumentation will not be completed.

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.