https://github.com/sysdiglabs/terraform-aws-fargate-orchestrator-agent
https://github.com/sysdiglabs/terraform-aws-fargate-orchestrator-agent
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/sysdiglabs/terraform-aws-fargate-orchestrator-agent
- Owner: sysdiglabs
- Created: 2021-10-15T13:43:15.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-10-28T17:46:32.000Z (7 months ago)
- Last Synced: 2025-01-23T01:22:01.238Z (4 months ago)
- Language: HCL
- Size: 58.6 KB
- Stars: 6
- Watchers: 7
- Forks: 4
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Codeowners: CODEOWNERS
- Security: security-group.tf
Awesome Lists containing this project
README
# Deprecation Notice
The Sysdig Orchestrator Agent will be deprecated in ** Q2 2025** in favour of Workload Agents connecting directly to Sysdig collectors.
# Sysdig Orchestrator Agent for ECS Fargate
This Terraform module deploys a Sysdig orchestrator agent for Fargate into a specified VPC.
## Example
The module can be created using the IDs of your VPC and two subnets capable of accessing the internet.
```
module "fargate-orchestrator-agent" {
source = "../terraform-aws-fargate-orchestrator-agent"
name = "test-fargate-orchestrator"
vpc_id = var.my_vpc_id
subnets = [var.my_subnet_a_id, var.my_subnet_b_id]
access_key = var.my_sysdig_access_key
assign_public_ip = true # if using Internet Gateway
}
```
The module outputs can be plugged into the Fargate workload agent data source in the [Sysdig Terraform provider](https://github.com/sysdiglabs/terraform-provider-sysdig):
```
data "sysdig_fargate_workload_agent" "instrumented" {
...
orchestrator_host = module.fargate-orchestrator-agent.orchestrator_host
orchestrator_port = module.fargate-orchestrator-agent.orchestrator_port
}
```
The resulting Terraform plan will have the Sysdig Orchestrator ECS service and a load balancer, as well as instrumented container JSON to use in your ECS Fargate task.
## Requirements
No requirements.
## Providers
| Name | Version |
|---------------------------------------------------|---------|
| [aws](#provider\_aws) | 3.61.0 |
## Modules
No modules.
## Resources and Data Sources
| Name | Type |
|------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [aws_cloudwatch_log_group.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_ecs_cluster.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
| [aws_ecs_service.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
| [aws_ecs_task_definition.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
| [aws_iam_role.orchestrator_agent_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_lb.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
| [aws_lb_listener.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_target_group.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_security_group.orchestrator_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.orchestrator_agent_egress_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.orchestrator_agent_ingress_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_appautoscaling_target.autoscaling_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
| [aws_appautoscaling_policy.autoscaling_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
| [aws_iam_role.orchestrator_agent_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_region.current_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------|:--------:|
| [access\_key](#input\_access\_key) | Sysdig Access Key as either clear text or SecretsManager-backed secret reference (expected pattern: `arn:aws:secretsmanager:region:accountId:secret:secretName[:jsonKey:versionStage:versionId]`) | `string` | n/a | yes |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC where the orchestrator should be installed | `string` | n/a | yes |
| [subnets](#input\_subnets) | A list of subnets that can access the internet and are reachable by instrumented services. The subnets must be in at least 2 different AZs. | `list(string)` | n/a | yes |
| [agent\_image](#input\_agent\_image) | Orchestrator agent image | `string` | `"quay.io/sysdig/orchestrator-agent:latest"` | no |
| [agent\_tags](#input\_agent\_tags) | Comma separated list of tags for this agent | `string` | `""` | no |
| [assign\_public\_ip](#input\_assign\_public\_ip) | Provisions a public IP for the service. Required when using an Internet Gateway for egress. | `bool` | `false` | no |
| [check\_collector\_certificate](#input\_check\_collector\_certificate) | Whether to check the collector certificate when connecting. Mainly for development. | `string` | `"true"` | no |
| [collector\_host](#input\_collector\_host) | Sysdig collector host | `string` | `"collector.sysdigcloud.com"` | no |
| [collector\_port](#input\_collector\_port) | Sysdig collector port | `string` | `"6443"` | no |
| [default\_tags](#input\_default\_tags) | Default tags for all Sysdig Fargate Orchestrator resources | `map(string)` |
{
"Application": "sysdig",
"Module": "fargate-orchestrator-agent"
} | no |
| [lb\_name](#input\_lb\_name) | Load balancer name. | `string` | `""` | no |
| [orchestrator\_port](#input\_orchestrator\_port) | Port for the workload agent to connect | `number` | `6667` | no |
| [tags](#input\_tags) | Extra tags for all Sysdig Fargate Orchestrator resources | `map(string)` | `{}` | no |
| [collector\_ca\_certificate.type](#collector\_ca\_certificate.type) | Uploads the collector custom CA certificate - The value type | `string` | `"base64"` | no |
| [collector\_ca\_certificate.value](#collector\_ca\_certificate.value) | Uploads the collector custom CA certificate - The value of the CA Certificate | `string` | `""` | no |
| [collector\_ca\_certificate.path](#collector\_ca\_certificate.path) | Uploads the collector custom CA certificate - The path to the CA certificate in the orchestrator | `string` | `"/ssl/collector_cert.pm"` | no |
| [collector\_configuration.ca\_certificate](#collector\_configuration.ca\_certificate) | Configures the SSL connection to the collector - The path to the CA certificate to use in the SSL connection to the collector | `string` | `""` | no |
| [http\_proxy\_ca\_certificate.type](#http\_proxy\_ca\_certificate.type) | Uploads the HTTP proxy CA certificate - The value type | `string` | `"base64"` | no |
| [http\_proxy\_ca\_certificate.value](#http\_proxy\_ca\_certificate.value) | Uploads the HTTP proxy CA certificate - The value of the CA Certificate | `string` | `""` | no |
| [http\_proxy\_ca\_certificate.path](#http\_proxy\_ca\_certificate.path) | Uploads the HTTP proxy CA certificate - The path to the CA certificate in the orchestrator | `string` | `"/ssl/proxy_cert.pm"` | no |
| [http\_proxy\_configuration.proxy\_host](#http\_proxy\_configuration.proxy\_host) | Configures the SSL connection to the HTTP proxy - The proxy host | `string` | `""` | no |
| [http\_proxy\_configuration.proxy\_port](#http\_proxy\_configuration.proxy\_port) | Configures the SSL connection to the HTTP proxy - The proxy port | `string` | `""` | no |
| [http\_proxy\_configuration.proxy\_user](#http\_proxy\_configuration.proxy\_user) | Configures the SSL connection to the HTTP proxy - The proxy user | `string` | `""` | no |
| [http\_proxy\_configuration.proxy\_password](#http\_proxy\_configuration.proxy\_password) | Configures the SSL connection to the HTTP proxy - The proxy password as either clear text or SecretsManage-backed secret reference (expected pattern: `arn:aws:secretsmanager:region:accountId:secret:secretName[:jsonKey:versionStage:versionId]`) | `string` | `""` | no |
| [http\_proxy\_configuration.ssl](#http\_proxy\_configuration.ssl) | Configures the SSL connection to the HTTP proxy - Enables/disables SSL encryption | `string` | `""` | no |
| [http\_proxy\_configuration.ssl\_verify\_certificate](#http\_proxy\_configuration.ssl\_verify\_vertificate) | Configures the SSL connection to the HTTP proxy - Enables/disables CA certificate verification | `string` | `""` | no |
| [http\_proxy\_configuration.ca\_certificate](#http\_proxy\_configuration.ca\_certificate) | Configures the SSL connection to the HTTP proxy - The path to the Ca certificate to use in the SSL connection to the HTTP proxy | `string` | `""` | no |
| [autoscaling.target\_metric](#autoscaling.target\_metric) | Sets the TargetTracking metric, can be either `ECSServiceAverageCPUUtilization` or `ECSServiceAverageMemoryUtilization` | `string` | `""` | no |
| [autoscaling.target\_value](#autoscaling.target\_value) | The target value for the chosen metric, for example, if the chosen metric is `ECSServiceAverageCPUUtilization` a possible target value could be 50 (that means 50% of CPU Utilization) | `string` | `""` | no |
| [autoscaling.max\_capacity](#autoscaling.max\_capacity) | Sets the maximum capacity the Service can scale out to | `string` | `""` | no |
| [autoscaling.scale\_in\_cooldown](#autoscaling.scale\_in\_cooldown) | Sets the time in seconds after a scale-in activity completes before another scale-in activity can start | `string` | `""` | no |
| [autoscaling.scale\_out\_cooldown](#autoscaling.scale\_out\_cooldown) | Sets the time in seconds after a scale-out activity completes before another scale-out activity can start | `string` | `""` | no |
| [agent\extra\conf](#input\_agent\_extra\_conf) | Orchestrator agent extra configuration in YAML format | `string` | `""` | no |
| [agent\_log\_level](#input\_agent\_log\_level) | Orchestrator agent log level | `string` | `"info"` | no |
| [cpu](#input\_cpu) | Task CPU allocation | `string` | `"2048"` | no |
| [memory](#input\_memory) | Task memory allocation | `string` | `"8192"` | no |
| [log\_retention\_days](#input\_log\_retention\_days) | Task log retention period in days | `string` | `"0"` | no |
| [runtime\_platform.cpu\_architecture](#runtime\_platform.cpu\_architecture) | The cpu architecture, either `X86_64` or `ARM64` | `string` | `"X86_64"` | no |
## Outputs
| Name | Description |
|-------------------------------------------------------------------------------------------|--------------------------------------------------|
| [orchestrator\_host](#output\_orchestrator\_host) | The DNS name of the orchestrator's load balancer |
| [orchestrator\_port](#output\_orchestrator\_port) | The configured port on the orchestrator |