From 0c0855700086967b916f211df3e3cae36c954f89 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 13:24:59 +0100
Subject: [PATCH 1/9] chore(examples/serverless): remove sample orchestrator
 deployment

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../fargate/orchestrator/README.md            | 27 ----------
 .../fargate/orchestrator/orchestrator.tf      | 36 -------------
 .../fargate/orchestrator/output.tf            | 11 ----
 .../fargate/orchestrator/providers.tf         |  4 --
 .../fargate/orchestrator/variables.tf         | 51 -------------------
 .../fargate/orchestrator/versions.tf          | 18 -------
 6 files changed, 147 deletions(-)
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/README.md
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/orchestrator.tf
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/output.tf
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/providers.tf
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/variables.tf
 delete mode 100644 examples/serverless-agent/fargate/orchestrator/versions.tf

diff --git a/examples/serverless-agent/fargate/orchestrator/README.md b/examples/serverless-agent/fargate/orchestrator/README.md
deleted file mode 100644
index c528b975e..000000000
--- a/examples/serverless-agent/fargate/orchestrator/README.md
+++ /dev/null
@@ -1,27 +0,0 @@
-# Serverless Orchestrator Agent
-
-This example deploys an AWS ECS Fargate cluster to run the Serverless Orchestrator Agent. This Agent acts as a proxy between the Collector and many Serverless Workload Agents.
-
-## Prerequisites
-
-The following AWS prerequisites are required to deploy this cluster:
-- VPC
-- 2 subnets
-
-## Components
-
-The cluster will be called `<prefix>-cluster` and will deploy the following:
-- 1 Service (called `OrchestratorAgent`)
-  - 1 Task (with the latest version of the Serverless Orchestrator Agent)
-- Network Load balancer
-- Cloudwatch log group
-- Security group
-
-## Layout
-| **File** | **Purpose** |
-| --- | --- |
-| `main.tf` | AWS provider configuration |
-| `orchestrator.tf` | Orchestrator cluster definition |
-| `output.tf` | Defines the output variables |
-| `variables.tf` | AWS and Agent configuration |
-| `versions.tf` | Defines TF provider versions |
diff --git a/examples/serverless-agent/fargate/orchestrator/orchestrator.tf b/examples/serverless-agent/fargate/orchestrator/orchestrator.tf
deleted file mode 100644
index 102d96042..000000000
--- a/examples/serverless-agent/fargate/orchestrator/orchestrator.tf
+++ /dev/null
@@ -1,36 +0,0 @@
-module "fargate-orchestrator-agent" {
-  source  = "sysdiglabs/fargate-orchestrator-agent/aws"
-  version = "0.5.0"
-
-  vpc_id  = var.vpc_id
-  subnets = [var.subnet_1, var.subnet_2]
-
-  access_key = var.access_key
-
-  collector_host = var.collector_host
-  collector_port = var.collector_port
-
-  name        = var.prefix
-  agent_image = var.agent_orchestrator_image
-
-  # True if the VPC uses an InternetGateway, false otherwise
-  assign_public_ip = true
-
-  tags = var.tags
-}
-
-
-data "aws_ecs_cluster" "fargate-orchestrator" {
-  depends_on = [
-    module.fargate-orchestrator-agent
-  ]
-  cluster_name = "${var.prefix}-cluster"
-}
-
-data "aws_ecs_service" "orchestrator-service" {
-  depends_on = [
-    module.fargate-orchestrator-agent
-  ]
-  service_name = "OrchestratorAgent"
-  cluster_arn  = data.aws_ecs_cluster.fargate-orchestrator.arn
-}
diff --git a/examples/serverless-agent/fargate/orchestrator/output.tf b/examples/serverless-agent/fargate/orchestrator/output.tf
deleted file mode 100644
index 0088749df..000000000
--- a/examples/serverless-agent/fargate/orchestrator/output.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-output "orchestrator_cluster_name" {
-  value = data.aws_ecs_cluster.fargate-orchestrator.cluster_name
-}
-
-output "orchestrator_cluster_arn" {
-  value = data.aws_ecs_cluster.fargate-orchestrator.arn
-}
-
-output "orchestrator_service_arn" {
-  value = data.aws_ecs_service.orchestrator-service.arn
-}
diff --git a/examples/serverless-agent/fargate/orchestrator/providers.tf b/examples/serverless-agent/fargate/orchestrator/providers.tf
deleted file mode 100644
index f6f28cca8..000000000
--- a/examples/serverless-agent/fargate/orchestrator/providers.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-provider "aws" {
-  region  = var.region
-  profile = var.profile
-}
diff --git a/examples/serverless-agent/fargate/orchestrator/variables.tf b/examples/serverless-agent/fargate/orchestrator/variables.tf
deleted file mode 100644
index 92af8fc9f..000000000
--- a/examples/serverless-agent/fargate/orchestrator/variables.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-# AWS configuration
-variable "prefix" {
-  description = "All resources created by Terraform have this prefix prepended to them"
-}
-
-variable "profile" {
-  description = "AWS profile name"
-  type        = string
-}
-
-variable "region" {
-  description = "AWS Region for deployment"
-  default     = "us-east-1"
-}
-
-variable "subnet_1" {
-  description = "Subnet-1 Id"
-}
-
-variable "subnet_2" {
-  description = "Subnet-2 Id"
-}
-
-variable "vpc_id" {
-  description = "VPC Id"
-}
-
-variable "tags" {
-  type        = map(string)
-  description = "Tags to assign to resources in module"
-  default     = {}
-}
-
-# Serverless Agent Configuration
-variable "access_key" {
-  description = "Sysdig Agent access key"
-}
-
-variable "agent_orchestrator_image" {
-  description = "Orchestrator Agent image to use"
-  default     = "quay.io/sysdig/orchestrator-agent:latest"
-}
-
-variable "collector_host" {
-  description = "Collector host where agent will send the data"
-}
-
-variable "collector_port" {
-  description = "Collector port where agent will send the data"
-  default     = "6443"
-}
diff --git a/examples/serverless-agent/fargate/orchestrator/versions.tf b/examples/serverless-agent/fargate/orchestrator/versions.tf
deleted file mode 100644
index 37120d0a4..000000000
--- a/examples/serverless-agent/fargate/orchestrator/versions.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-terraform {
-  required_version = ">=1.7.2"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.35.0"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "~> 2.4.1"
-    }
-    sysdig = {
-      source  = "sysdiglabs/sysdig"
-      version = "~> 1.24.5"
-    }
-  }
-}
\ No newline at end of file

From 137cef5a840fdb0a0e3a1386efe9a5a8d51bcd7f Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 13:26:11 +0100
Subject: [PATCH 2/9] chore(examples/serverless): remove sample orchestrated
 workload-agent deployment

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../fargate/workload-legacy/README.md         |  30 ----
 .../workload-legacy/instrumented_load.tf      | 145 ------------------
 .../fargate/workload-legacy/output.tf         |  15 --
 .../fargate/workload-legacy/providers.tf      |   4 -
 .../fargate/workload-legacy/variables.tf      |  56 -------
 .../fargate/workload-legacy/versions.tf       |  18 ---
 6 files changed, 268 deletions(-)
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/README.md
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/output.tf
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/providers.tf
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/variables.tf
 delete mode 100644 examples/serverless-agent/fargate/workload-legacy/versions.tf

diff --git a/examples/serverless-agent/fargate/workload-legacy/README.md b/examples/serverless-agent/fargate/workload-legacy/README.md
deleted file mode 100644
index a221da511..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/README.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Workload with Serverless Workload Agent
-
-This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
-
-The Workload Agent will use an Orchestrator Agent as a proxy to the Sysdig Collector.
-
-## Prerequisites
-
-The following prerequisites are required to deploy this cluster:
-- Orchestrator Agent deployed
-- VPC
-- 2 subnets
-
-## Components
-
-The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
-- 1 Service (called `<prefix-instrumented-service`)
-  - 1 Task with 2 replicas, each running:
-    - 1 container named `event-gen-1` running `falcosecurity/event-generator`
-    - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
-    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
-
-## Layout
-| **File** | **Purpose** |
-| --- | --- |
-| `instrumented_load.tf` | Workload definition. By default it instruments `falcosecurity/event-generator` |
-| `main.tf` | AWS provider configuration |
-| `output.tf` | Defines the output variables |
-| `variables.tf` | AWS and Agent configuration |
-| `versions.tf` | Defines TF provider versions |
diff --git a/examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf b/examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf
deleted file mode 100644
index fe3307d0d..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf
+++ /dev/null
@@ -1,145 +0,0 @@
-data "sysdig_fargate_workload_agent" "containers_instrumented" {
-  container_definitions = jsonencode([
-    {
-      "name" : "event-gen-1",
-      "image" : "falcosecurity/event-generator",
-      "command" : ["run", "syscall", "--all", "--loop"],
-      "logConfiguration" : {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
-          "awslogs-region" : var.region,
-          "awslogs-stream-prefix" : "task"
-        },
-      }
-    },
-    {
-      "name" : "event-gen-2",
-      "image" : "falcosecurity/event-generator",
-      "command" : ["run", "syscall", "--all", "--loop"],
-      "logConfiguration" : {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
-          "awslogs-region" : var.region,
-          "awslogs-stream-prefix" : "task"
-        },
-      }
-    }
-  ])
-
-  workload_agent_image = var.agent_workload_image
-
-  sysdig_access_key = var.access_key
-  orchestrator_host = var.orchestrator_host
-  orchestrator_port = var.orchestrator_port
-
-  log_configuration {
-    group         = aws_cloudwatch_log_group.instrumented_logs.name
-    stream_prefix = "instrumentation"
-    region        = var.region
-  }
-}
-
-resource "aws_ecs_task_definition" "task_definition" {
-  family             = "${var.prefix}-instrumented-task-definition"
-  task_role_arn      = aws_iam_role.task_role.arn
-  execution_role_arn = aws_iam_role.execution_role.arn
-
-  cpu                      = "256"
-  memory                   = "512"
-  network_mode             = "awsvpc"
-  requires_compatibilities = ["FARGATE"]
-  pid_mode                 = "task"
-
-  container_definitions = data.sysdig_fargate_workload_agent.containers_instrumented.output_container_definitions
-}
-
-
-resource "aws_ecs_cluster" "cluster" {
-  name = "${var.prefix}-instrumented-workload"
-}
-
-resource "aws_cloudwatch_log_group" "instrumented_logs" {
-}
-
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "execution_role" {
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
-
-  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
-}
-
-resource "aws_iam_role" "task_role" {
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
-
-  inline_policy {
-    name   = "root"
-    policy = data.aws_iam_policy_document.task_policy.json
-  }
-}
-
-data "aws_iam_policy_document" "task_policy" {
-  statement {
-    actions = [
-      "ecr:GetAuthorizationToken",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:BatchGetImage",
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_ecs_service" "service" {
-  name = "${var.prefix}-instrumented-service"
-
-  cluster          = aws_ecs_cluster.cluster.id
-  task_definition  = aws_ecs_task_definition.task_definition.arn
-  desired_count    = var.replicas
-  launch_type      = "FARGATE"
-  platform_version = "1.4.0"
-
-  network_configuration {
-    subnets          = [var.subnet_1, var.subnet_2]
-    security_groups  = [aws_security_group.security_group.id]
-    assign_public_ip = true
-  }
-}
-
-resource "aws_security_group" "security_group" {
-  description = "${var.prefix}-security-group"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
-  type              = "ingress"
-  protocol          = "tcp"
-  from_port         = 0
-  to_port           = 0
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.security_group.id
-}
-
-resource "aws_security_group_rule" "orchestrator_agent_egress_rule" {
-  type              = "egress"
-  protocol          = "all"
-  from_port         = 0
-  to_port           = 0
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.security_group.id
-}
diff --git a/examples/serverless-agent/fargate/workload-legacy/output.tf b/examples/serverless-agent/fargate/workload-legacy/output.tf
deleted file mode 100644
index 8556be222..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/output.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-output "workload_cluster_name" {
-  value = aws_ecs_cluster.cluster.name
-}
-
-output "workload_cluster_arn" {
-  value = aws_ecs_cluster.cluster.arn
-}
-
-output "service_arn" {
-  value = aws_ecs_service.service.id
-}
-
-output "task_revision" {
-  value = aws_ecs_task_definition.task_definition.revision
-}
diff --git a/examples/serverless-agent/fargate/workload-legacy/providers.tf b/examples/serverless-agent/fargate/workload-legacy/providers.tf
deleted file mode 100644
index 1305d94b4..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/providers.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-provider "aws" {
-  region = var.region
-  profile = var.profile
-}
\ No newline at end of file
diff --git a/examples/serverless-agent/fargate/workload-legacy/variables.tf b/examples/serverless-agent/fargate/workload-legacy/variables.tf
deleted file mode 100644
index 6ec27216d..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/variables.tf
+++ /dev/null
@@ -1,56 +0,0 @@
-# AWS configuration
-variable "prefix" {
-  description = "All resources created by Terraform have this prefix prepended to them"
-}
-
-variable "profile" {
-  description = "AWS profile name"
-  type        = string
-}
-
-variable "region" {
-  description = "AWS Region for deployment"
-  default     = "us-east-1"
-}
-
-variable "subnet_1" {
-  description = "Subnet-1 Id"
-}
-
-variable "subnet_2" {
-  description = "Subnet-2 Id"
-}
-
-variable "vpc_id" {
-  description = "VPC Id"
-}
-
-variable "tags" {
-  type        = map(string)
-  description = "Tags to assign to resources in module"
-  default     = {}
-}
-
-variable "replicas" {
-  description = "Number of workload replicas to run"
-  default     = 2
-}
-
-# Serverless Agent Configuration
-variable "access_key" {
-  description = "Sysdig Agent access key"
-}
-
-variable "agent_workload_image" {
-  description = "Workload agent container image"
-  default     = "quay.io/sysdig/workload-agent:latest"
-}
-
-variable "orchestrator_host" {
-  description = "Orchestrator Host"
-}
-
-variable "orchestrator_port" {
-  description = "Orchestrator Port"
-  default     = 6667
-}
diff --git a/examples/serverless-agent/fargate/workload-legacy/versions.tf b/examples/serverless-agent/fargate/workload-legacy/versions.tf
deleted file mode 100644
index 37120d0a4..000000000
--- a/examples/serverless-agent/fargate/workload-legacy/versions.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-terraform {
-  required_version = ">=1.7.2"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.35.0"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "~> 2.4.1"
-    }
-    sysdig = {
-      source  = "sysdiglabs/sysdig"
-      version = "~> 1.24.5"
-    }
-  }
-}
\ No newline at end of file

From 99fdc4e4f4883842bebcd1d338c949f64e55a047 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 13:27:23 +0100
Subject: [PATCH 3/9] chore(examples/serverless): rename security groups

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../serverless-agent/fargate/workload/instrumented_load.tf    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/serverless-agent/fargate/workload/instrumented_load.tf b/examples/serverless-agent/fargate/workload/instrumented_load.tf
index 0b6f1370c..b6bf1c46b 100644
--- a/examples/serverless-agent/fargate/workload/instrumented_load.tf
+++ b/examples/serverless-agent/fargate/workload/instrumented_load.tf
@@ -126,7 +126,7 @@ resource "aws_security_group" "security_group" {
   vpc_id      = var.vpc_id
 }
 
-resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
+resource "aws_security_group_rule" "ingress_rule" {
   type              = "ingress"
   protocol          = "tcp"
   from_port         = 0
@@ -135,7 +135,7 @@ resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
   security_group_id = aws_security_group.security_group.id
 }
 
-resource "aws_security_group_rule" "orchestrator_agent_egress_rule" {
+resource "aws_security_group_rule" "egress_rule" {
   type              = "egress"
   protocol          = "all"
   from_port         = 0

From 8b770701dafa72a7751034398dae5d32af8deebb Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:02:23 +0100
Subject: [PATCH 4/9] chore(example/serverless): update resources

 - simplify naming schema
 - drop redundant subnet_2
 - rename subnet_1 to subnet
 - remove redundant workload container
 - bump cpu and memory

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../fargate/workload/instrumented_load.tf     | 31 ++++++-------------
 .../fargate/workload/variables.tf             | 10 ++----
 2 files changed, 12 insertions(+), 29 deletions(-)

diff --git a/examples/serverless-agent/fargate/workload/instrumented_load.tf b/examples/serverless-agent/fargate/workload/instrumented_load.tf
index b6bf1c46b..15c834e66 100644
--- a/examples/serverless-agent/fargate/workload/instrumented_load.tf
+++ b/examples/serverless-agent/fargate/workload/instrumented_load.tf
@@ -7,20 +7,7 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
       "logConfiguration" : {
         "logDriver" : "awslogs",
         "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
-          "awslogs-region" : var.region,
-          "awslogs-stream-prefix" : "task"
-        },
-      }
-    },
-    {
-      "name" : "event-gen-2",
-      "image" : "falcosecurity/event-generator",
-      "command" : ["run", "syscall", "--all", "--loop"],
-      "logConfiguration" : {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-group" : aws_cloudwatch_log_group.logs.name,
           "awslogs-region" : var.region,
           "awslogs-stream-prefix" : "task"
         },
@@ -35,19 +22,19 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
   collector_port    = var.collector_port
 
   log_configuration {
-    group         = aws_cloudwatch_log_group.instrumented_logs.name
+    group         = aws_cloudwatch_log_group.logs.name
     stream_prefix = "instrumentation"
     region        = var.region
   }
 }
 
 resource "aws_ecs_task_definition" "task_definition" {
-  family             = "${var.prefix}-instrumented-task-definition"
+  family             = "${var.prefix}-task-definition"
   task_role_arn      = aws_iam_role.task_role.arn
   execution_role_arn = aws_iam_role.execution_role.arn
 
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = "512"
+  memory                   = "1024"
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   pid_mode                 = "task"
@@ -57,10 +44,10 @@ resource "aws_ecs_task_definition" "task_definition" {
 
 
 resource "aws_ecs_cluster" "cluster" {
-  name = "${var.prefix}-instrumented-workload"
+  name = "${var.prefix}-cluster"
 }
 
-resource "aws_cloudwatch_log_group" "instrumented_logs" {
+resource "aws_cloudwatch_log_group" "logs" {
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -106,7 +93,7 @@ data "aws_iam_policy_document" "task_policy" {
 }
 
 resource "aws_ecs_service" "service" {
-  name = "${var.prefix}-instrumented-service"
+  name = "${var.prefix}-service"
 
   cluster          = aws_ecs_cluster.cluster.id
   task_definition  = aws_ecs_task_definition.task_definition.arn
@@ -115,7 +102,7 @@ resource "aws_ecs_service" "service" {
   platform_version = "1.4.0"
 
   network_configuration {
-    subnets          = [var.subnet_1, var.subnet_2]
+    subnets          = [var.subnet]
     security_groups  = [aws_security_group.security_group.id]
     assign_public_ip = true
   }
diff --git a/examples/serverless-agent/fargate/workload/variables.tf b/examples/serverless-agent/fargate/workload/variables.tf
index ba6abf0ce..8bac9d8d8 100644
--- a/examples/serverless-agent/fargate/workload/variables.tf
+++ b/examples/serverless-agent/fargate/workload/variables.tf
@@ -13,12 +13,8 @@ variable "region" {
   default     = "us-east-1"
 }
 
-variable "subnet_1" {
-  description = "Subnet-1 Id"
-}
-
-variable "subnet_2" {
-  description = "Subnet-2 Id"
+variable "subnet" {
+  description = "Subnet Id"
 }
 
 variable "vpc_id" {
@@ -33,7 +29,7 @@ variable "tags" {
 
 variable "replicas" {
   description = "Number of workload replicas to run"
-  default     = 2
+  default     = 1
 }
 
 # Serverless Agent Configuration

From 0e2c7b519ddce44a5574f69965990c0f17e11b40 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:10:17 +0100
Subject: [PATCH 5/9] chore(example/serverless): rename instrumented_load to
 resources

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../fargate/workload/{instrumented_load.tf => resources.tf}       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename examples/serverless-agent/fargate/workload/{instrumented_load.tf => resources.tf} (100%)

diff --git a/examples/serverless-agent/fargate/workload/instrumented_load.tf b/examples/serverless-agent/fargate/workload/resources.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/instrumented_load.tf
rename to examples/serverless-agent/fargate/workload/resources.tf

From f92b4956463851cbc20a049dfcaa00fdced7be7a Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:17:21 +0100
Subject: [PATCH 6/9] chore(example/serverless): update providers and versions

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 examples/serverless-agent/fargate/workload/versions.tf | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/examples/serverless-agent/fargate/workload/versions.tf b/examples/serverless-agent/fargate/workload/versions.tf
index 37120d0a4..95a1aa035 100644
--- a/examples/serverless-agent/fargate/workload/versions.tf
+++ b/examples/serverless-agent/fargate/workload/versions.tf
@@ -4,15 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.35.0"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "~> 2.4.1"
+      version = "~>6.32.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.24.5"
+      version = "~>3.4.0"
     }
   }
 }
\ No newline at end of file

From d632212922c26cc892d1219c2901474bc5b96434 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:50:02 +0100
Subject: [PATCH 7/9] chore(examples/serverless): do not default the region

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../serverless-agent/fargate/workload/variables.tf    | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/examples/serverless-agent/fargate/workload/variables.tf b/examples/serverless-agent/fargate/workload/variables.tf
index 8bac9d8d8..b0440445b 100644
--- a/examples/serverless-agent/fargate/workload/variables.tf
+++ b/examples/serverless-agent/fargate/workload/variables.tf
@@ -9,16 +9,15 @@ variable "profile" {
 }
 
 variable "region" {
-  description = "AWS Region for deployment"
-  default     = "us-east-1"
+  description = "AWS Region for deployment, for example: us-east-1"
 }
 
-variable "subnet" {
-  description = "Subnet Id"
+variable "vpc_id" {
+  description = "VPC Id (for example: vpc-1234567890abcde)"
 }
 
-variable "vpc_id" {
-  description = "VPC Id"
+variable "subnet" {
+  description = "Subnet Id (for example: subnet-1234567890abcde)"
 }
 
 variable "tags" {

From 79ceb10bc6d67cefed08c86385b885d0b7cb1436 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:20:44 +0100
Subject: [PATCH 8/9] chore(example/serverless): simplify source tree

From
  examples/serverless-agent/fargate/workload
to
  examples/serverless-agent/ecs-fargate

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../serverless-agent/{fargate/workload => ecs-fargate}/README.md  | 0
 .../serverless-agent/{fargate/workload => ecs-fargate}/output.tf  | 0
 .../{fargate/workload => ecs-fargate}/providers.tf                | 0
 .../{fargate/workload => ecs-fargate}/resources.tf                | 0
 .../{fargate/workload => ecs-fargate}/variables.tf                | 0
 .../{fargate/workload => ecs-fargate}/versions.tf                 | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/README.md (100%)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/output.tf (100%)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/providers.tf (100%)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/resources.tf (100%)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/variables.tf (100%)
 rename examples/serverless-agent/{fargate/workload => ecs-fargate}/versions.tf (100%)

diff --git a/examples/serverless-agent/fargate/workload/README.md b/examples/serverless-agent/ecs-fargate/README.md
similarity index 100%
rename from examples/serverless-agent/fargate/workload/README.md
rename to examples/serverless-agent/ecs-fargate/README.md
diff --git a/examples/serverless-agent/fargate/workload/output.tf b/examples/serverless-agent/ecs-fargate/output.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/output.tf
rename to examples/serverless-agent/ecs-fargate/output.tf
diff --git a/examples/serverless-agent/fargate/workload/providers.tf b/examples/serverless-agent/ecs-fargate/providers.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/providers.tf
rename to examples/serverless-agent/ecs-fargate/providers.tf
diff --git a/examples/serverless-agent/fargate/workload/resources.tf b/examples/serverless-agent/ecs-fargate/resources.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/resources.tf
rename to examples/serverless-agent/ecs-fargate/resources.tf
diff --git a/examples/serverless-agent/fargate/workload/variables.tf b/examples/serverless-agent/ecs-fargate/variables.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/variables.tf
rename to examples/serverless-agent/ecs-fargate/variables.tf
diff --git a/examples/serverless-agent/fargate/workload/versions.tf b/examples/serverless-agent/ecs-fargate/versions.tf
similarity index 100%
rename from examples/serverless-agent/fargate/workload/versions.tf
rename to examples/serverless-agent/ecs-fargate/versions.tf

From 15993dd174518f866a3b8cdddf0aa28917764cf4 Mon Sep 17 00:00:00 2001
From: francesco-racciatti <francesco.racciatti@sysdig.com>
Date: Wed, 18 Feb 2026 14:11:25 +0100
Subject: [PATCH 9/9] doc(example/serverless): fix README

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
---
 .../serverless-agent/ecs-fargate/README.md    | 48 +++++++++++--------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/examples/serverless-agent/ecs-fargate/README.md b/examples/serverless-agent/ecs-fargate/README.md
index 36267446d..06b9ee3f0 100644
--- a/examples/serverless-agent/ecs-fargate/README.md
+++ b/examples/serverless-agent/ecs-fargate/README.md
@@ -1,29 +1,35 @@
 # Workload with Serverless Workload Agent
+This example deploys a cluster running a workload application secured by the Serverless Workload Agent.
+The workload used is [falcosecurity/event-generator](https://github.com/falcosecurity/event-generator), which produces synthetic suspicious actions that will trigger Sysdig managed policies. 
 
-This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
-
-The Workload Agent will directly connect to the Sysdig Collector.
 
 ## Prerequisites
+The following prerequisites are required to deploy this sample:
+- `VPC ID`, the ID of an already existing VPC
+- `Subnet ID`, the ID of an already existing Subnet within the VPC above
+
+
+## Usage
+```
+$ terraform init
+$ terraform apply
+```
 
-The following prerequisites are required to deploy this cluster:
-- VPC
-- 2 subnets
 
 ## Components
+| **Component**      | **Name**                   | **Description**                                                                                                                                     |
+|--------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| ECS Cluster        | `<prefix>-cluster`         | The cluster containing the ECS Service below.                                                                                                       |
+| ECS Service        | `<prefix>-service`         | The service running the TaskDefinition below.                                                                                                       |
+| ECS TaskDefinition | `<prefix>-task-definition` | The task definition including a workload container being secured by the Serverless Agent.                                                           |
+| ECS SecurityGroup  | `<prefix>-security-group`  | The security group ensuring connectivity to the Serverless Agent. This security group has no restrictions applied and is intended for testing only. |
+
 
-The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
-- 1 Service (called `<prefix-instrumented-service`)
-  - 1 Task with 2 replicas, each running:
-    - 1 container named `event-gen-1` running `falcosecurity/event-generator`
-    - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
-    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
-
-## Layout
-| **File** | **Purpose** |
-| --- | --- |
-| `instrumented_load.tf` | Workload definition. By default it instruments `falcosecurity/event-generator` |
-| `main.tf` | AWS provider configuration |
-| `output.tf` | Defines the output variables |
-| `variables.tf` | AWS and Agent configuration |
-| `versions.tf` | Defines TF provider versions |
+## Files
+| **File**       | **Description**                                                                                          |
+|----------------|----------------------------------------------------------------------------------------------------------|
+| `output.tf`    | Contains the reference to the cluster, service, and task revision being deployed.                        |
+| `providers.tf` | Contains the configuration parameters for the providers.                                                 |
+| `resources.tf` | Contains the resources to deploy, including the task definition being secured with the Serverless Agent. |
+| `variables.tf` | Contains the configuration parameters for AWS and the Serverless Agent.                                  |
+| `versions.tf`  | Defines the version of the providers.                                                                    |