Skip to main content
Version: v4.7

Upgrade Procedures

If you have an existing sidecar running on a previous version, use the instructions on this page to successfully upgrade it to v4.7.

Terraform AWS EC2

Sidecars v4.7.0 and later which are deployed using Cyral's terraform-aws-sidecar-ec2 Terraform module require a new major version v4. Detailed information about the changes can be found in the module change log.

If your sidecar logs are sent to Datadog, ELK, Splunk or Sumologic, make sure that this log integration is configured in the control plane and contains all the required information to send logs to the desired destination. The sidecar will dynamically retrieve this configuration and use it to push the logs.

In order to upgrade an existing sidecar, re-download the template from the control plane and select the desired log integration. The template can be re-downloaded by selecting an existing sidecar, clicking Actions (top right corner), selecting Update and finally clicking Generate. Make sure the correct log integration is selected before clicking Generate.

note

The log integration selected in the UI during the template download will be used by the sidecar instances to define the log destination.

note

We recommend that customers creating the entire sidecar configuration using Cyral Terraform provider use the new resource cyral_integration_logging to define the preferred log integration. See more details in the resource documentation.

Instance refresh

This new module version introduces the automatic instance refresh to the Auto Scaling Group (ASG). Following command terraform apply during the sidecar version upgrade, the EC2 instances will be automatically replaced with the upgraded sidecar version. more details in the change log.

Custom certificates

The Terraform modules sidecar-custom-certificate and sidecar-custom-certificate-letsencrypt have been deprecated.

Even though these modules are still functional, we encourage customers to use the new sidecar module variables SidecarTLSCertificateSecretArn and SidecarCACertificateSecretArn to provide certificates directly to the sidecar. It requires a new format for the secrets' keys, thus the old secrets from the deprecated modules will not work. See the documentation for more details.

warning

Once providing the new secret to variable sidecar_tls_certificate_secret_arn during sidecar deployment, go to the Cyral control plane, select the corresponding sidecar, click on the Advanced tab and disable the option Use a custom certificate for TLS connections. This will prevent the sidecar from using the certificate deployed by one of the deprecated modules.

CloudFormation

In order to upgrade an existing sidecar, re-download its template from the control plane and select the desired log integration. The template can be re-downloaded by selecting an existing sidecar, clicking Actions (top right corner), selecting Update and finally clicking Generate. Make sure the correct log integration is selected before clicking Generate.

Custom certificates

The CloudFormation templates cft_sidecar_custom_certificate.yaml and cft_sidecar_custom_certificate_letsencrypt.yaml have been deprecated.

Even though these templates are still functional, we encourage customers to use the new sidecar template variables SidecarTLSCertificateSecretArn and SidecarCACertificateSecretArn to provide certificates directly to the sidecar. It requires a new format for the secrets' keys, thus the old secrets from the deprecated modules will not work. See the documentation for more details.

warning

Once providing the new secret to variable SidecarTLSCertificateSecretArn during sidecar deployment, go to the Cyral control plane, select the corresponding sidecar, click on the Advanced tab and disable the option Use a custom certificate for TLS connections. This will prevent the sidecar from using the certificate deployed by one of the deprecated templates.

Helm

The option to configure the custom certificate secret using the Cyral control plane has been deprecated. Even though this option is still functional, we encourage customers to use the new input variables certificateManager.certificates.tls.existingSecret and certificateManager.certificates.ca.existingSecret available in the values file. See the documentation for more details.

warning

Once providing the secrets to the values file during sidecar deployment, go to the Cyral control plane, select the corresponding sidecar, click on the Advanced tab and disable the option Use a custom certificate for TLS connections.