terraform-ibm-modules · ocofaigh · Dec 4, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
@@ -144,8 +144,8 @@ No modules.
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
 | <a name="input_instance_region"></a> [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes |
 | <a name="input_is_vpc_cluster"></a> [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
+| <a name="input_kernel_module_image_digest"></a> [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
 | <a name="input_kernel_module_image_repository"></a> [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no |
-| <a name="input_kernel_module_image_tag_digest"></a> [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
 | <a name="input_max_surge"></a> [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no |
 | <a name="input_max_unavailable"></a> [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no |
 | <a name="input_metrics_filter"></a> [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | <pre>list(object({<br/>    include = optional(string)<br/>    exclude = optional(string)<br/>  }))</pre> | `[]` | no |

@@ -431,7 +431,7 @@
               "key": "kernel_module_image_repository"
             },
             {
-              "key": "kernel_module_image_tag_digest"
+              "key": "kernel_module_image_digest"
             },
             {
               "key": "existing_access_key_secret_name"

@@ -36,6 +36,7 @@ locals {
   base_endpoint           = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
   ingestion_endpoint      = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
   api_host                = replace(local.ingestion_endpoint, "ingest.", "")
+  kernel_module_digest    = split("@", var.kernel_module_image_digest)[1]
   dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{
     name  = "global.sysdig.accessKeySecret"
     type  = "string"
@@ -182,7 +183,7 @@ resource "helm_release" "cloud_monitoring_agent" {
       "repository": ${var.agent_image_repository}
     "kmoduleImage":
       "repository": ${var.kernel_module_image_repository}
-      "digest": ${var.kernel_module_image_tag_digest}
+      "digest": ${local.kernel_module_digest}
   "image":
     "registry": ${var.image_registry_base_url}
     "tag": ${var.agent_image_tag_digest}

@@ -55,7 +55,7 @@ module "monitoring_agent" {
   image_registry_namespace        = var.image_registry_namespace
   agent_image_repository          = var.agent_image_repository
   agent_image_tag_digest          = var.agent_image_tag_digest
-  kernel_module_image_tag_digest  = var.kernel_module_image_tag_digest
+  kernel_module_image_digest      = var.kernel_module_image_digest
   kernel_module_image_repository  = var.kernel_module_image_repository
   agent_limits_cpu                = var.agent_limits_cpu
   agent_limits_memory             = var.agent_limits_memory

@@ -219,7 +219,7 @@ variable "agent_image_tag_digest" {
   nullable = false
 }
 
-variable "kernel_module_image_tag_digest" {
+variable "kernel_module_image_digest" {
   description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line

@@ -195,7 +195,7 @@ variable "agent_image_tag_digest" {
   nullable = false
 }
 
-variable "kernel_module_image_tag_digest" {
+variable "kernel_module_image_digest" {
   description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
   type        = string
   # This version is automatically managed by renovate automation - do not remove the datasource comment on next line