Terraform
Prerequisites
Review the Installation Requirements before getting started.
For details about the Resources, Inputs, and Outputs, see the following Sysdig Terraform registries:
Deployment Steps
Set up the AWS Terraform provider:
provider "aws" { region = var.region }
Configure the Sysdig orchestrator module and deploy it for each VPC that needs instrumentation:
module "fargate-orchestrator-agent" { source = "sysdiglabs/fargate-orchestrator-agent/aws" version = "0.1.1" vpc_id = var.vpc_id subnets = [var.subnet_a_id, var.subnet_b_id] access_key = var.access_key collector_host = var.collector_host collector_port = var.collector_port name = "sysdig-orchestrator" agent_image = "quay.io/sysdig/orchestrator-agent:latest" # True if the VPC uses an InternetGateway, false otherwise assign_public_ip = true tags = { description = "Sysdig Serverless Agent Orchestrator" } }
Set up the Sysdig Terraform provider:
terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" version = ">= 0.5.39" } } } provider "sysdig" { sysdig_secure_api_token = var.secure_api_token }
Pass the orchestrator host, port, and container definitions of your workload to the sysdig_fargate_workload_agent data source.
Note: The input container definitions must be in JSON format:
data "sysdig_fargate_workload_agent" "instrumented" { container_definitions = jsonencode([...]) sysdig_access_key = var.access_key workload_agent_image = "quay.io/sysdig/workload-agent:latest" orchestrator_host = module.fargate-orchestrator-agent.orchestrator_host orchestrator_port = module.fargate-orchestrator-agent.orchestrator_port }
Include the instrumented JSON in your Fargate task definition and deploy your instrumented workload:
resource "aws_ecs_task_definition" "fargate_task" { ... network_mode = "awsvpc" requires_compatibilities = ["FARGATE"] container_definitions = "${data.sysdig_fargate_workload_agent.instrumented.output_container_definitions}" }
The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.
For the images pulled from private registries, explicitly provide the Entrypoint
and Command
in the related container definition, or the instrumentation will not be completed.
Next Steps
After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.
Optionally, you can perform advanced Configuration steps.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.