terraform-kubernetes-agent

A Terraform Module to create a Secret and DaemonSet for deploying the Lacework Datacollector Agent in a Kubernetes cluster. Optionally, the module can also deploy the Kubernetes Compliance collection agent.

Kubernetes

The main.tf file will configure a Kubernetes Secret and DaemonSet which will then be used to run the Lacework Datacollector pod across all worker nodes in a cluster.

Requirements

Name	Version
terraform	>= 0.14
kubernetes	>= 2.0.0
lacework	~> 2.0

Providers

Name	Version
kubernetes	>= 2.0.0
lacework	~> 2.0
random	n/a

Modules

No modules.

Resources

Name	Type
kubernetes_cluster_role.lacework_k8s_collector	resource
kubernetes_cluster_role_binding.lacework_k8s_collector	resource
kubernetes_daemonset.lacework_datacollector	resource
kubernetes_deployment.lacework_k8s_collector	resource
kubernetes_secret.lacework_access_token	resource
kubernetes_secret.lacework_config	resource
kubernetes_secret.lacework_k8s_collector	resource
kubernetes_service_account.lacework_k8s_collector	resource
random_id.cluster_config_name_tail	resource
random_id.node_config_name_tail	resource
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
enable_cluster_agent	A boolean representing whether the Lacework cluster agent should be deployed	bool	false	no
lacework_access_token	The access token for the Lacework agent	string	n/a	yes
lacework_agent_autoupgrade	Boolean value to control whether or not the agent should automatically upgrade to newer versions when available	bool	true	no
lacework_agent_configuration	A map/dictionary of configuration parameters for the Lacework datacollector	any	{}	no
lacework_agent_interface_connection_size	Desired value for the InterfaceConnectionSize Lacework agent parameter	string	""	no
lacework_agent_log_stdout	Enable Lacework agent stdout logging.	bool	true	no
lacework_agent_name	The name for the Lacework agent service within Kubernetes	string	"lacework-agent"	no
lacework_agent_tags	A map/dictionary of Tags to be assigned to the Lacework datacollector	map(string)	{}	no
lacework_cluster_configuration	A map/dictionary of configuration parameters for the Lacework K8s collector	map(any)	{}	no
lacework_cluster_cpu_limit	The limit of CPU units for the Lacework K8s collector pod	string	"500m"	no
lacework_cluster_cpu_request	The amount of CPU units to request for the Lacework K8s collector pod	string	"200m"	no
lacework_cluster_exclusive	A boolean representing whether the Lacework K8s collector will operate in exclusive mode	bool	false	no
lacework_cluster_image	The name of the image to use for deploying the Lacework K8s collector	string	"lacework/k8scollector"	no
lacework_cluster_image_pull_policy	The pull policy to use for deploying the Lacework K8s collector	string	"Always"	no
lacework_cluster_mem_limit	The limit of Memory for the Lacework K8s collector pod	string	"1450Mi"	no
lacework_cluster_mem_request	The amount of Memory to request for the Lacework K8s collector pod	string	"512Mi"	no
lacework_cluster_name	The name of the K8s cluster that the Lacework K8s collector will monitor	string	""	no
lacework_cluster_region	The region of the K8s cluster that the Lacework K8s collector will monitor	string	""	no
lacework_cluster_type	The type of the K8s cluster that the Lacework K8s collector will monitor	string	""	no
lacework_config_name	The name for the Lacework agent configuration within Kubernetes	string	"lacework-config"	no
lacework_enable_default_syscall_config	A flag to enable the default syscall config	bool	false	no
lacework_image	The name of the image to use for deploying the Lacework datacollector	string	"lacework/datacollector"	no
lacework_image_pull_policy	The pull policy to use for deploying the Lacework datacollector	string	"Always"	no
lacework_proxy_url	The proxy URL for the Lacework agent	string	""	no
lacework_server_url	The server URL for the Lacework agent	string	""	no
namespace	The Kubernetes namespace in which to deploy	string	"default"	no
node_affinity	Node affinity settings	list(object({ key = string operator = string values = list(string) }))	[ { "key": "kubernetes.io/arch", "operator": "In", "values": [ "amd64", "arm64" ] }, { "key": "kubernetes.io/os", "operator": "In", "values": [ "linux" ] } ]	no
node_selector	A map of key:value pairs of node labels to specify which nodes to deploy the DaemonsSet to	map(any)	null	no
pod_cpu_limit	The limit of CPU units for the Lacework datacollector pod	string	"500m"	no
pod_cpu_request	The amount of CPU units to request for the Lacework datacollector pod	string	"200m"	no
pod_mem_limit	The limit of Memory for the Lacework datacollector pod	string	"1450Mi"	no
pod_mem_request	The amount of Memory to request for the Lacework datacollector pod	string	"512Mi"	no
pod_priority_class_name	Indicates the pod's priority. Requires an existing priority class name resource if not 'system-node-critical' and 'system-cluster-critical'	string	""	no
pod_service_account	The Kubernetes ServiceAccount to use in the pod template	string	""	no
revision_history_limit	The number of revision hitory to keep.	number	10	no
tolerations	A list of Kubernetes Tolerations to apply to the DaemonSet definition	list(map(string))	[ { "effect": "NoSchedule", "key": "node-role.kubernetes.io/infra" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" } ]	no

Outputs

Name	Description
lacework_config_name	Name of the Kubernetes Secret containing the Lacework config
lacework_config_version	Version of the Kubernetes Secret containing the Lacework config
lacework_datacollector_name	Name of the Kubernetes DaemonSet for the Lacework datacollector
lacework_datacollector_version	Version of the Kubernetes DaemonSet for the Lacework datacollector