This Terraform module deploys a Sysdig orchestrator agent for Fargate into a specified VPC.
The module can be created using the IDs of your VPC and two subnets capable of accessing the internet.
module "fargate-orchestrator-agent" {
source = "../terraform-aws-fargate-orchestrator-agent"
name = "test-fargate-orchestrator"
vpc_id = var.my_vpc_id
subnets = [var.my_subnet_a_id, var.my_subnet_b_id]
access_key = var.my_sysdig_access_key
assign_public_ip = true # if using Internet Gateway
}
The module outputs can be plugged into the Fargate workload agent data source in the Sysdig Terraform provider:
data "sysdig_fargate_workload_agent" "instrumented" {
...
orchestrator_host = module.fargate-orchestrator-agent.orchestrator_host
orchestrator_port = module.fargate-orchestrator-agent.orchestrator_port
}
The resulting Terraform plan will have the Sysdig Orchestrator ECS service and a load balancer, as well as instrumented container JSON to use in your ECS Fargate task.
No requirements.
| Name | Version |
|---|---|
| aws | 3.61.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.orchestrator_agent | resource |
| aws_ecs_cluster.orchestrator_agent | resource |
| aws_ecs_service.orchestrator_agent | resource |
| aws_ecs_task_definition.orchestrator_agent | resource |
| aws_iam_role.orchestrator_agent_execution_role | resource |
| aws_lb.orchestrator_agent | resource |
| aws_lb_listener.orchestrator_agent | resource |
| aws_lb_target_group.orchestrator_agent | resource |
| aws_security_group.orchestrator_agent | resource |
| aws_security_group_rule.orchestrator_agent_egress_rule | resource |
| aws_security_group_rule.orchestrator_agent_ingress_rule | resource |
| aws_appautoscaling_target.autoscaling_target | resource |
| aws_appautoscaling_policy.autoscaling_policy | resource |
| aws_iam_role.orchestrator_agent_autoscaling | resource |
| aws_region.current_region | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_key | Sysdig Access Key as either clear text or SecretsManager-backed secret reference (expected pattern: arn:aws:secretsmanager:region:accountId:secret:secretName[:jsonKey:versionStage:versionId]) |
string |
n/a | yes |
| vpc_id | ID of the VPC where the orchestrator should be installed | string |
n/a | yes |
| subnets | A list of subnets that can access the internet and are reachable by instrumented services. The subnets must be in at least 2 different AZs. | list(string) |
n/a | yes |
| agent_image | Orchestrator agent image | string |
"quay.io/sysdig/orchestrator-agent:latest" |
no |
| agent_tags | Comma separated list of tags for this agent | string |
"" |
no |
| assign_public_ip | Provisions a public IP for the service. Required when using an Internet Gateway for egress. | bool |
false |
no |
| check_collector_certificate | Whether to check the collector certificate when connecting. Mainly for development. | string |
"true" |
no |
| collector_host | Sysdig collector host | string |
"collector.sysdigcloud.com" |
no |
| collector_port | Sysdig collector port | string |
"6443" |
no |
| default_tags | Default tags for all Sysdig Fargate Orchestrator resources | map(string) |
{ |
no |
| lb_name | Load balancer name. | string |
"" |
no |
| orchestrator_port | Port for the workload agent to connect | number |
6667 |
no |
| tags | Extra tags for all Sysdig Fargate Orchestrator resources | map(string) |
{} |
no |
| collector_ca_certificate.type | Uploads the collector custom CA certificate - The value type | string |
"base64" |
no |
| collector_ca_certificate.value | Uploads the collector custom CA certificate - The value of the CA Certificate | string |
"" |
no |
| collector_ca_certificate.path | Uploads the collector custom CA certificate - The path to the CA certificate in the orchestrator | string |
"/ssl/collector_cert.pm" |
no |
| collector_configuration.ca_certificate | Configures the SSL connection to the collector - The path to the CA certificate to use in the SSL connection to the collector | string |
"" |
no |
| http_proxy_ca_certificate.type | Uploads the HTTP proxy CA certificate - The value type | string |
"base64" |
no |
| http_proxy_ca_certificate.value | Uploads the HTTP proxy CA certificate - The value of the CA Certificate | string |
"" |
no |
| http_proxy_ca_certificate.path | Uploads the HTTP proxy CA certificate - The path to the CA certificate in the orchestrator | string |
"/ssl/proxy_cert.pm" |
no |
| http_proxy_configuration.proxy_host | Configures the SSL connection to the HTTP proxy - The proxy host | string |
"" |
no |
| http_proxy_configuration.proxy_port | Configures the SSL connection to the HTTP proxy - The proxy port | string |
"" |
no |
| http_proxy_configuration.proxy_user | Configures the SSL connection to the HTTP proxy - The proxy user | string |
"" |
no |
| http_proxy_configuration.proxy_password | Configures the SSL connection to the HTTP proxy - The proxy password as either clear text or SecretsManage-backed secret reference (expected pattern: arn:aws:secretsmanager:region:accountId:secret:secretName[:jsonKey:versionStage:versionId]) |
string |
"" |
no |
| http_proxy_configuration.ssl | Configures the SSL connection to the HTTP proxy - Enables/disables SSL encryption | string |
"" |
no |
| http_proxy_configuration.ssl_verify_certificate | Configures the SSL connection to the HTTP proxy - Enables/disables CA certificate verification | string |
"" |
no |
| http_proxy_configuration.ca_certificate | Configures the SSL connection to the HTTP proxy - The path to the Ca certificate to use in the SSL connection to the HTTP proxy | string |
"" |
no |
| autoscaling.target_metric | Sets the TargetTracking metric, can be either ECSServiceAverageCPUUtilization or ECSServiceAverageMemoryUtilization |
string |
"" |
no |
| autoscaling.target_value | The target value for the chosen metric, for example, if the chosen metric is ECSServiceAverageCPUUtilization a possible target value could be 50 (that means 50% of CPU Utilization) |
string |
"" |
no |
| autoscaling.max_capacity | Sets the maximum capacity the Service can scale out to | string |
"" |
no |
| autoscaling.scale_in_cooldown | Sets the time in seconds after a scale-in activity completes before another scale-in activity can start | string |
"" |
no |
| autoscaling.scale_out_cooldown | Sets the time in seconds after a scale-out activity completes before another scale-out activity can start | string |
"" |
no |
| agent\extra\conf | Orchestrator agent extra configuration in YAML format | string |
"" |
no |
| agent_log_level | Orchestrator agent log level | string |
"info" |
no |
| cpu | Task CPU allocation | string |
"2048" |
no |
| memory | Task memory allocation | string |
"8192" |
no |
| log_retention_days | Task log retention period in days | string |
"0" |
no |
| runtime_platform.cpu_architecture | The cpu architecture, either X86_64 or ARM64 |
string |
"X86_64" |
no |
| Name | Description |
|---|---|
| orchestrator_host | The DNS name of the orchestrator's load balancer |
| orchestrator_port | The configured port on the orchestrator |