Terraform

Deploy the orchestrator agent and workload agent components on ECS Fargate using Terraform.

Prerequisites

Review the Installation Requirements before getting started.
For details about the Resources, Inputs, and Outputs, see the following Sysdig Terraform registries:
- Orchestrator Agent
- Workload Agent

Deploy the Agent Components

Set up the AWS Terraform provider:

provider "aws" {
  region = var.region
}

Configure the Sysdig orchestrator module and deploy it for each VPC that needs instrumentation:

module "fargate-orchestrator-agent" {
  source  = "sysdiglabs/fargate-orchestrator-agent/aws"
  version = "0.2.0"

  vpc_id           = var.vpc_id
  subnets          = [var.subnet_a_id, var.subnet_b_id]

  access_key       = var.access_key

  collector_host   = var.collector_host
  collector_port   = var.collector_port

  name             = "sysdig-orchestrator"
  agent_image      = "quay.io/sysdig/orchestrator-agent:latest"

  # True if the VPC uses an InternetGateway, false otherwise
  assign_public_ip = true

  tags = {
    description    = "Sysdig Serverless Agent Orchestrator"
  }
}

Set up the Sysdig Terraform provider:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
      version = ">= 0.5.39"
    }
  }
}

provider "sysdig" {
  sysdig_secure_api_token = var.secure_api_token
}

Pass the orchestrator host, port, and container definitions of your workload to the sysdig_fargate_workload_agent data source.

Note: The input container definitions must be in JSON format:

data "sysdig_fargate_workload_agent" "instrumented" {
  container_definitions = jsonencode([...])

  sysdig_access_key     = var.access_key

  workload_agent_image  = "quay.io/sysdig/workload-agent:latest"

  orchestrator_host     = module.fargate-orchestrator-agent.orchestrator_host
  orchestrator_port     = module.fargate-orchestrator-agent.orchestrator_port
}

Include the instrumented JSON in your Fargate task definition and deploy your instrumented workload:

resource "aws_ecs_task_definition" "fargate_task" {
  ...

  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  container_definitions    = "${data.sysdig_fargate_workload_agent.instrumented.output_container_definitions}"
}

The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.

For the images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, or the instrumentation will not be completed.

Upgrade the Agent Components

The Orchestrator and Workload agents can be upgraded individually by redeploying their respective stacks. If the stacks were deploying using the latest tag, simplying redeploying the existing Terraform will reference the new versions.

Orchestrator Agent

The Orchestrator Agent running in a stack can be updated by modifying the agent_image version in the module if the version was explicitly defined.

module "fargate-orchestrator-agent" {
  ...
  agent_image = "quay.io/sysdig/orchestrator-agent:4.2.0" -> "quay.io/sysdig/orchestrator-agent:4.2.1"
  ...
}

Workload Agent

The Orchestrator Agent running in a stack can be updated by modifying the agent_image version in the module if the version was explicitly defined.

data "sysdig_fargate_workload_agent" "containers_instrumented" {
  ...
  workload_agent_image = "quay.io/sysdig/workload-agent:4.2.0" -> "quay.io/sysdig/workload-agent:4.2.1"
  ...
}

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.