Terraform

Deploy the Workload Agent on ECS Fargate using Terraform.

Prerequisites

Review the Installation Requirements before getting started.
For details about the Resources, Inputs, and Outputs, see the Fargate Workload Agent Terraform registry.
For the images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, or the instrumentation will not be completed.

Deploy the Agent

An example deployment for the Orchestrator Agent can be found in the Sysdig Terraform provider: Workload Agent example.

The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.

Workload Agent Deployment Types

You can deploy the Workload Agent to run in the workload container or in a sidecar container. The latter is the default mode for version 5.0.0 onwards. By default, the agent will detect the runtime configuration and deploy itself accordingly.

The pid_mode parameter in a task definition will influence how the agent is deployed. To deploy in a sidecar container, set this parameter to task. Any other value will deploy in the workload.

Advanced Configuration for Workload Agent

Use the following advanced options to fine-tune the Workload Agent :

Priority: Supported options are availability (by default) or security.
- In security mode the Workload Agent processes every syscall event and prevents the workloads from running unsecured. Consequently, secured applications will not execute until the Workload Agent receives the runtime policies.
- The availability mode instead facilitates resource sharing between the Workload Agent and the workload containers, enabling the Workload Agent to detect when resource pressure exceeds configurable limits and pause event processing to reduce pressure.
Instrumentation essential: If marked as essential, ECS will stop all containers in the task if the sidecar exits. The sidecar container is marked as essential in security mode by default to prevent secured workloads from running unsecured.
Instrumentation cpu/memory configuration: The settings can be adjusted to allocate dedicated CPU units and memory resources/limits to the sidecar container.

Upgrade the Agent

The Workload agent can be upgraded individually by redeploying its stack. If the stack was deploying using the latest tag, redeploying the existing Terraform will reference the new version.

For example, to upgrade v4.2.0 to v5.0.0, you will add the following in your task definition:

data "sysdig_fargate_workload_agent" "containers_instrumented" {
  ...
  workload_agent_image = "quay.io/sysdig/workload-agent:5.0.0"
  ...
}

To upgrade to v5.0.0, you also add a parameter pid_mode and set it to task. For example:

resource "aws_ecs_task_definition" "task_definition" {
  family             = "${var.prefix}-instrumented-task-definition"
  task_role_arn      = aws_iam_role.task_role.arn
  execution_role_arn = aws_iam_role.execution_role.arn

  cpu                      = "256"
  memory                   = "512"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  pid_mode                 = "task"    
  workload_agent_image     = "quay.io/sysdig/workload-agent:5.0.0"       

  container_definitions    = data.sysdig_fargate_workload_agent.containers_instrumented.output_container_definitions
}

Legacy Orchestrator Agent

The Orchestrator Agent will be deprecated in a future release. You can still use it as a proxy connection between the Workload Agent and the Sysdig Collector with Agent version 5.3.

For details about the Resources, Inputs, and Outputs, see Fargate Orchestrator Agent in the Terraform registry.

To view an example deployment, refer to Orchestrator Agent.

Upgrading the Orchestrator Agent

To upgrade the Orchestrator Agent in a stack, update the agent_image version in the module if it is explicitly defined.

For example, to upgrade from version 4.2.0 to 5.0.0, add the following to your task definition:

module "fargate-orchestrator-agent" {
  ...
  agent_image = "quay.io/sysdig/orchestrator-agent:5.0.0"
  ...
}

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration to fine-tune the agent.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.