feat(serverless-agent) Add support for ignored containers to the TF d…

…ata source This commit contains: - TF premodifications should update the name parameter to CF style - Add the optional `ignore_containers` field to the Sysdig TF data source - Update docs to reflect the changes
sysdiglabs · Jul 14, 2023 · eabb138 · eabb138
1 parent 5173630
commit eabb138
Show file tree

Hide file tree

Showing 16 changed files with 312 additions and 13 deletions.
diff --git a/sysdig/cfn_preprocess_template.go b/sysdig/cfn_preprocess_template.go
@@ -96,6 +96,19 @@ func terraformPreModifications(ctx context.Context, patchedStack []byte) ([]byte
 				}
 			}
 
+			if container.Exists("name") {
+				passthrough, _ := GetValueFromTemplate(container.S("name"))
+				_, err = container.Set(passthrough, "Name")
+				if err != nil {
+					return nil, fmt.Errorf("Could not update Name field: %v", err)
+				}
+
+				err = container.Delete("name")
+				if err != nil {
+					return nil, fmt.Errorf("could not delete name in the Container definition: %w", err)
+				}
+			}
+
 			if container.Exists("environment") {
 				for _, env := range container.S("environment").Children() {
 					if env.Exists("name") {

diff --git a/sysdig/data_source_sysdig_fargate_ECS_test.go b/sysdig/data_source_sysdig_fargate_ECS_test.go
@@ -25,13 +25,16 @@ var (
 		SysdigLogging:    "sysdig_logging",
 	}
 
+	testIgnoreContainers = []string{}
+
 	testContainerDefinitionFiles = []string{
 		"fargate_entrypoint_test",
 		"fargate_env_test",
 		"fargate_cmd_test",
 		"fargate_linuxparameters_test",
 		"fargate_combined_test",
 		"fargate_volumesfrom_test",
+		"fargate_field_case_test",
 	}
 )
 
@@ -86,7 +89,7 @@ func TestECStransformation(t *testing.T) {
 		RecipeConfig:       string(jsonConf),
 	}
 
-	patchedOutput, err := patchFargateTaskDefinition(context.Background(), string(inputfile), kiltConfig, nil)
+	patchedOutput, err := patchFargateTaskDefinition(context.Background(), string(inputfile), kiltConfig, nil, &testIgnoreContainers)
 	if err != nil {
 		t.Fatalf("Cannot execute PatchFargateTaskDefinition : %v", err.Error())
 	}
@@ -105,6 +108,7 @@ func TestECStransformation(t *testing.T) {
 		VolumesFrom      []interface{}       `json:"VolumesFrom"`
 		LogConfiguration interface{}         `json:"LogConfiguration"`
 		Name             string              `json:"Name"`
+		Name2            string              `json:"name"`
 		Image2           string              `json:"image"`
 		EntryPoint2      string              `json:"entryPoint"`
 	}
@@ -120,7 +124,9 @@ func TestECStransformation(t *testing.T) {
 		t.Fatalf("Error Unmarshaling expected Container definitions: %v", err.Error())
 	}
 
+	// Check if Name key is correct
 	assert.Equal(t, expectedContainerDefinitions[0].Name, patchedContainerDefinitions[0].Name)
+	assert.Equal(t, expectedContainerDefinitions[0].Name2, "")
 
 	// The order received from patchedOutput changes continuously hence it is important to check if the arrays of expected and actual are equal without order being correct. This check also
 	// helps with checking if key/value is named "Name" and "Value" accordingly.
@@ -148,7 +154,7 @@ func TestTransform(t *testing.T) {
 			}
 
 			inputContainerDefinition, _ := os.ReadFile("testfiles/" + testName + ".json")
-			patched, _ := patchFargateTaskDefinition(context.Background(), string(inputContainerDefinition), kiltConfig, nil)
+			patched, _ := patchFargateTaskDefinition(context.Background(), string(inputContainerDefinition), kiltConfig, nil, &testIgnoreContainers)
 			expectedContainerDefinition, _ := os.ReadFile("testfiles/" + testName + "_expected.json")
 
 			sortAndCompare(t, expectedContainerDefinition, []byte(*patched))
@@ -173,8 +179,28 @@ func TestLogGroup(t *testing.T) {
 	}
 
 	inputContainerDefinition, _ := os.ReadFile("testfiles/fargate_log_group.json")
-	patched, _ := patchFargateTaskDefinition(context.Background(), string(inputContainerDefinition), kiltConfig, logConfig)
+	patched, _ := patchFargateTaskDefinition(context.Background(), string(inputContainerDefinition), kiltConfig, logConfig, &testIgnoreContainers)
 	expectedContainerDefinition, _ := os.ReadFile("testfiles/fargate_log_group_expected.json")
 
 	sortAndCompare(t, expectedContainerDefinition, []byte(*patched))
 }
+
+func TestIgnoreContainers(t *testing.T) {
+	jsonConfig, _ := json.Marshal(testKiltDefinition)
+	kiltConfig := &cfnpatcher.Configuration{
+		Kilt:               agentinoKiltDefinition,
+		ImageAuthSecret:    "image_auth_secret",
+		OptIn:              false,
+		UseRepositoryHints: true,
+		RecipeConfig:       string(jsonConfig),
+	}
+
+	fileTemplate := "fargate_ignore_container_test"
+	ignoreContainers := []string{"other", "another"}
+
+	inputContainerDefinition, _ := os.ReadFile("testfiles/" + fileTemplate + ".json")
+	patched, _ := patchFargateTaskDefinition(context.Background(), string(inputContainerDefinition), kiltConfig, nil, &ignoreContainers)
+	expectedContainerDefinition, _ := os.ReadFile("testfiles/" + fileTemplate + "_expected.json")
+
+	sortAndCompare(t, expectedContainerDefinition, []byte(*patched))
+}
diff --git a/sysdig/data_source_sysdig_fargate_workload_agent.go b/sysdig/data_source_sysdig_fargate_workload_agent.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/Jeffail/gabs/v2"
 	"github.com/aws/aws-sdk-go/aws"
@@ -81,6 +82,12 @@ func dataSourceSysdigFargateWorkloadAgent() *schema.Resource {
 				Description: "the collector port to connect to",
 				Optional:    true,
 			},
+			"ignore_containers": {
+				Type:        schema.TypeList,
+				Description: "list of containers to not add instrumentation to",
+				Optional:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
 			"log_configuration": {
 				Type:        schema.TypeSet,
 				MaxItems:    1,
@@ -119,9 +126,15 @@ func dataSourceSysdigFargateWorkloadAgent() *schema.Resource {
 	}
 }
 
+type cfnTag struct {
+	Key   string `json:"Key"`
+	Value string `json:"Value"`
+}
+
 type cfnProperties struct {
 	RequiresCompatibilities []string                 `json:"RequiresCompatibilities"`
 	ContainerDefinitions    []map[string]interface{} `json:"ContainerDefinitions"`
+	Tags                    []cfnTag                 `json:"Tags"`
 }
 
 type cfnResource struct {
@@ -171,20 +184,31 @@ func fargatePostKiltModifications(patchedBytes []byte, logConfig map[string]inte
 }
 
 // PatchFargateTaskDefinition modifies the container definitions
-func patchFargateTaskDefinition(ctx context.Context, containerDefinitions string, kiltConfig *cfnpatcher.Configuration, logConfig map[string]interface{}) (patched *string, err error) {
+func patchFargateTaskDefinition(ctx context.Context, containerDefinitions string, kiltConfig *cfnpatcher.Configuration, logConfig map[string]interface{}, ignoreContainers *[]string) (patched *string, err error) {
 	var cdefs []map[string]interface{}
 	err = json.Unmarshal([]byte(containerDefinitions), &cdefs)
 	if err != nil {
 		return nil, err
 	}
 
+	// Convert the ignore containers list into Kilt tags for the patcher
+	tags := []cfnTag{}
+	if len(*ignoreContainers) > 0 {
+		containerTagValue := strings.Join(*ignoreContainers, ":")
+		tags = append(tags, cfnTag{
+			Key:   "kilt-ignore-containers",
+			Value: containerTagValue,
+		})
+	}
+
 	stack := cfnStack{
 		Resources: map[string]cfnResource{
 			"kilt": {
 				ResourceType: "AWS::ECS::TaskDefinition",
 				Properties: cfnProperties{
 					RequiresCompatibilities: []string{"FARGATE"},
 					ContainerDefinitions:    cdefs,
+					Tags:                    tags,
 				},
 			},
 		},
@@ -270,12 +294,23 @@ func dataSourceSysdigFargateWorkloadAgentRead(ctx context.Context, d *schema.Res
 
 	containerDefinitions := d.Get("container_definitions").(string)
 
+	ignoreContainersField := d.Get("ignore_containers")
+	ignoreContainers := []string{}
+	if ignoreContainersField != nil {
+		for _, value := range ignoreContainersField.([]interface{}) {
+			if value_str, ok := value.(string); ok {
+				value_str = strings.TrimSpace(value_str)
+				ignoreContainers = append(ignoreContainers, value_str)
+			}
+		}
+	}
+
 	logConfig := map[string]interface{}{}
 	if logConfiguration := d.Get("log_configuration").(*schema.Set).List(); len(logConfiguration) > 0 {
 		logConfig = logConfiguration[0].(map[string]interface{})
 	}
 
-	outputContainerDefinitions, err := patchFargateTaskDefinition(ctx, containerDefinitions, kiltConfig, logConfig)
+	outputContainerDefinitions, err := patchFargateTaskDefinition(ctx, containerDefinitions, kiltConfig, logConfig, &ignoreContainers)
 	if err != nil {
 		return diag.Errorf("Error applying configuration patch: %v", err.Error())
 	}

diff --git a/sysdig/testfiles/ECSInstrumented.json b/sysdig/testfiles/ECSInstrumented.json
@@ -66,7 +66,7 @@
         "awslogs-stream-prefix": "ecs"
       }
     },
-    "name": "busybox"
+    "Name": "busybox"
   },
   {
     "EntryPoint": [

diff --git a/sysdig/testfiles/fargate_cmd_test_expected.json b/sysdig/testfiles/fargate_cmd_test_expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "name": "test",
+        "Name": "test",
         "Image": "test_image:latest",
         "EntryPoint": [
             "/opt/draios/bin/instrument"

diff --git a/sysdig/testfiles/fargate_combined_test_expected.json b/sysdig/testfiles/fargate_combined_test_expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "name": "test",
+        "Name": "test",
         "Image": "test_image:latest",
         "EntryPoint": [
             "/opt/draios/bin/instrument"

diff --git a/sysdig/testfiles/fargate_entrypoint_test_expected.json b/sysdig/testfiles/fargate_entrypoint_test_expected.json
@@ -1,6 +1,6 @@
 [
   {
-    "name": "test",
+    "Name": "test",
     "Image": "test_image:latest",
     "EntryPoint": [
       "/opt/draios/bin/instrument"

diff --git a/sysdig/testfiles/fargate_env_test_expected.json b/sysdig/testfiles/fargate_env_test_expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "name": "test",
+        "Name": "test",
         "Image": "test_image:latest",
         "EntryPoint": [
             "/opt/draios/bin/instrument"

diff --git a/sysdig/testfiles/fargate_field_case_test.json b/sysdig/testfiles/fargate_field_case_test.json
@@ -0,0 +1,16 @@
+[
+    {
+        "name": "test",
+        "image": "test_image:latest",
+        "entryPoint": [
+            "/bin/test"
+        ]
+    },
+    {
+        "Name": "other",
+        "Image": "other_image:latest",
+        "entryPoint": [
+            "/bin/other"
+        ]
+    }
+]
diff --git a/sysdig/testfiles/fargate_field_case_test_expected.json b/sysdig/testfiles/fargate_field_case_test_expected.json
@@ -0,0 +1,110 @@
+[
+    {
+        "Name": "test",
+        "Image": "test_image:latest",
+        "EntryPoint": [
+            "/opt/draios/bin/instrument"
+        ],
+        "Command": [
+            "/bin/test"
+        ],
+        "Environment": [
+            {
+                "Name": "SYSDIG_ORCHESTRATOR_PORT",
+                "Value": "orchestrator_port"
+            },
+            {
+                "Name": "SYSDIG_COLLECTOR",
+                "Value": "collector_host"
+            },
+            {
+                "Name": "SYSDIG_COLLECTOR_PORT",
+                "Value": "collector_port"
+            },
+            {
+                "Name": "SYSDIG_ACCESS_KEY",
+                "Value": "sysdig_access_key"
+            },
+            {
+                "Name": "SYSDIG_LOGGING",
+                "Value": "sysdig_logging"
+            },
+            {
+                "Name": "SYSDIG_ORCHESTRATOR",
+                "Value": "orchestrator_host"
+            }
+        ],
+        "LinuxParameters": {
+            "Capabilities": {
+                "Add": [
+                    "SYS_PTRACE"
+                ]
+            }
+        },
+        "VolumesFrom": [
+            {
+                "ReadOnly": true,
+                "SourceContainer": "SysdigInstrumentation"
+            }
+        ]
+    },
+    {
+        "Name": "other",
+        "Image": "other_image:latest",
+        "EntryPoint": [
+            "/opt/draios/bin/instrument"
+        ],
+        "Command": [
+            "/bin/other"
+        ],
+        "Environment": [
+            {
+                "Name": "SYSDIG_ORCHESTRATOR_PORT",
+                "Value": "orchestrator_port"
+            },
+            {
+                "Name": "SYSDIG_COLLECTOR",
+                "Value": "collector_host"
+            },
+            {
+                "Name": "SYSDIG_COLLECTOR_PORT",
+                "Value": "collector_port"
+            },
+            {
+                "Name": "SYSDIG_ACCESS_KEY",
+                "Value": "sysdig_access_key"
+            },
+            {
+                "Name": "SYSDIG_LOGGING",
+                "Value": "sysdig_logging"
+            },
+            {
+                "Name": "SYSDIG_ORCHESTRATOR",
+                "Value": "orchestrator_host"
+            }
+        ],
+        "LinuxParameters": {
+            "Capabilities": {
+                "Add": [
+                    "SYS_PTRACE"
+                ]
+            }
+        },
+        "VolumesFrom": [
+            {
+                "ReadOnly": true,
+                "SourceContainer": "SysdigInstrumentation"
+            }
+        ]
+    },
+    {
+        "EntryPoint": [
+            "/opt/draios/bin/logwriter"
+        ],
+        "Image": "workload_agent_image",
+        "Name": "SysdigInstrumentation",
+        "RepositoryCredentials": {
+            "CredentialsParameter": "image_auth_secret"
+        }
+    }
+]
diff --git a/sysdig/testfiles/fargate_ignore_container_test.json b/sysdig/testfiles/fargate_ignore_container_test.json
@@ -0,0 +1,23 @@
+[
+    {
+        "name": "test",
+        "image": "test_image:latest",
+        "entryPoint": [
+            "/bin/test"
+        ]
+    },
+    {
+        "name": "other",
+        "image": "other_image:latest",
+        "entryPoint": [
+            "/bin/other"
+        ]
+    },
+    {
+        "name": "another",
+        "image": "another_image:latest",
+        "entryPoint": [
+            "/bin/another"
+        ]
+    }
+]