feat: changed the default values of enable_app_checks and enable_jmx to false to align with sysdig chart default. Renamed the input kernel_module_image_tag_digest -> kernel_module_image_digest and added validation to only allow image digest value. Added fix was causing incorrect digest value to be set for the kernal module image. (#271)

jor2 · web-flow · commit eb2d2107f253 · 2025-12-04T10:02:15.000Z
diff --git a/README.md b/README.md
@@ -111,7 +111,7 @@ No modules.
 | <a name="input_access_key"></a> [access\_key](#input\_access\_key) | Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. | `string` | `null` | no |
 | <a name="input_add_cluster_name"></a> [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the agent image from. | `string` | `"agent-slim"` | no |
-| <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no |
+| <a name="input_agent_image_tag_digest"></a> [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no |
 | <a name="input_agent_limits_cpu"></a> [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
 | <a name="input_agent_limits_memory"></a> [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no |
 | <a name="input_agent_mode"></a> [agent\_mode](#input\_agent\_mode) | The operational mode for the monitoring agent. [Learn more](https://docs.sysdig.com/en/docs/administration/configure-agent-modes/). | `string` | `null` | no |
@@ -134,18 +134,18 @@ No modules.
 | <a name="input_cluster_shield_requests_memory"></a> [cluster\_shield\_requests\_memory](#input\_cluster\_shield\_requests\_memory) | Specify memory resource requests for the cluster shield pods. | `string` | `"512Mi"` | no |
 | <a name="input_container_filter"></a> [container\_filter](#input\_container\_filter) | Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data | <pre>list(object({<br/>    type      = string<br/>    parameter = string<br/>    name      = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_deployment_tag"></a> [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
-| <a name="input_enable_app_checks"></a> [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `true` | no |
+| <a name="input_enable_app_checks"></a> [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `false` | no |
 | <a name="input_enable_host_scanner"></a> [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
-| <a name="input_enable_jmx"></a> [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `true` | no |
+| <a name="input_enable_jmx"></a> [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `false` | no |
 | <a name="input_enable_kspm_analyzer"></a> [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
 | <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no |
 | <a name="input_existing_access_key_secret_name"></a> [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
 | <a name="input_image_registry_base_url"></a> [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull all images from. For example `icr.io` or `quay.io`. | `string` | `"icr.io"` | no |
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
 | <a name="input_instance_region"></a> [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes |
 | <a name="input_is_vpc_cluster"></a> [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
+| <a name="input_kernel_module_image_digest"></a> [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported. | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
 | <a name="input_kernel_module_image_repository"></a> [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no |
-| <a name="input_kernel_module_image_tag_digest"></a> [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
 | <a name="input_max_surge"></a> [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no |
 | <a name="input_max_unavailable"></a> [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no |
 | <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -431,7 +431,14 @@
               "key": "kernel_module_image_repository"
             },
             {
-              "key": "kernel_module_image_tag_digest"
+              "key": "kernel_module_image_digest",
+              "value_constraints": [
+                {
+                  "type": "regex",
+                  "description": "The image digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported.",
+                  "value": "^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$"
+                }
+              ]
             },
             {
               "key": "existing_access_key_secret_name"
diff --git a/main.tf b/main.tf
@@ -36,6 +36,10 @@ locals {
   base_endpoint           = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
   ingestion_endpoint      = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
   api_host                = replace(local.ingestion_endpoint, "ingest.", "")
+  # The Sysdig Helm chart automatically appends the '@' symbol to the digest,
+  # so we strip it from the input variable to avoid duplication.
+  # See: https://github.com/sysdiglabs/charts/blob/75862bc8939ee7431a38c04ecea36652a8d3035d/charts/agent/templates/_helpers.tpl#L163
+  kernel_module_digest = split("@", var.kernel_module_image_digest)[1]
   dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{
     name  = "global.sysdig.accessKeySecret"
     type  = "string"
@@ -182,7 +186,7 @@ resource "helm_release" "cloud_monitoring_agent" {
       "repository": ${var.agent_image_repository}
     "kmoduleImage":
       "repository": ${var.kernel_module_image_repository}
-      "digest": ${var.kernel_module_image_tag_digest}
+      "digest": ${local.kernel_module_digest}
   "image":
     "registry": ${var.image_registry_base_url}
     "tag": ${var.agent_image_tag_digest}
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -55,7 +55,7 @@ module "monitoring_agent" {
   image_registry_namespace        = var.image_registry_namespace
   agent_image_repository          = var.agent_image_repository
   agent_image_tag_digest          = var.agent_image_tag_digest
-  kernel_module_image_tag_digest  = var.kernel_module_image_tag_digest
+  kernel_module_image_digest      = var.kernel_module_image_digest
   kernel_module_image_repository  = var.kernel_module_image_repository
   agent_limits_cpu                = var.agent_limits_cpu
   agent_limits_memory             = var.agent_limits_memory
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -212,19 +212,23 @@ variable "agent_image_repository" {
 }
 
 variable "agent_image_tag_digest" {
-  description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+  description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`."
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
   default  = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim
   nullable = false
 }
 
-variable "kernel_module_image_tag_digest" {
-  description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
+variable "kernel_module_image_digest" {
+  description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported."
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
   default  = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule
   nullable = false
+  validation {
+    condition     = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest))
+    error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported."
+  }
 }
 
 variable "kernel_module_image_repository" {
@@ -355,13 +359,13 @@ variable "enable_kspm_analyzer" {
 variable "enable_app_checks" {
   type        = bool
   description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored."
-  default     = true
+  default     = false
 }
 
 variable "enable_jmx" {
   type        = bool
   description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications."
-  default     = true
+  default     = false
 }
 
 variable "agent_mode" {
diff --git a/variables.tf b/variables.tf
@@ -188,19 +188,23 @@ variable "agent_image_repository" {
 }
 
 variable "agent_image_tag_digest" {
-  description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+  description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`."
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
   default  = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim
   nullable = false
 }
 
-variable "kernel_module_image_tag_digest" {
-  description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
+variable "kernel_module_image_digest" {
+  description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported."
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line
   default  = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule
   nullable = false
+  validation {
+    condition     = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest))
+    error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported."
+  }
 }
 
 variable "kernel_module_image_repository" {
@@ -360,13 +364,13 @@ variable "enable_kspm_analyzer" {
 variable "enable_app_checks" {
   type        = bool
   description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored."
-  default     = true
+  default     = false
 }
 
 variable "enable_jmx" {
   type        = bool
   description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications."
-  default     = true
+  default     = false
 }
 
 variable "agent_mode" {
