SSPROD-55654 - include/exclude: add deprecation date for management_group_ids var

jose-pablo-camacho · jose-pablo-camacho · commit 4ef6a55c5413 · 2025-05-06T12:41:23.000-06:00
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
@@ -7,6 +7,10 @@ locals {
     length(var.exclude_projects) > 0
   )
 
+  # add 'folders/' prefix to the include/exclude folders
+  prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]
+  prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]
+
   # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
   check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
 
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
@@ -32,8 +32,8 @@ resource "sysdig_secure_organization" "google_organization" {
   management_account_id          = sysdig_secure_cloud_auth_account.google_account.id
   organizational_unit_ids        = local.check_old_management_group_ids_param ? var.management_group_ids : []
   organization_root_id           = local.root_org[0]
-  included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
-  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders
+  included_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_include_folders
+  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders
   included_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.include_projects
   excluded_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.exclude_projects
   depends_on = [
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
@@ -18,7 +18,7 @@ variable "organization_domain" {
 variable "management_group_ids" {
   description = <<-EOF
     TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
-    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded.
+    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded. e.g. ["organizations/123456789012"], ["folders/123456789012"]
     Default: onboard all folders.
     EOF
   type        = set(string)
@@ -32,13 +32,13 @@ variable "suffix" {
 }
 
 variable "include_folders" {
-  description = "(Optional) folders to include for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+  description = "(Optional) folders to include for organization in the format '[{folder_id_one}, {folder_id_two}]' i.e: '[\"123456789012\", \"123456789012\"]'"
   type        = set(string)
   default     = []
 }
 
 variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+  description = "(Optional) folders to exclude for organization in the format '[{folder_id_one}, {folder_id_two}]' i.e: '[\"123456789012\", \"123456789012\"]'"
   type        = set(string)
   default     = []
 }

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,10 @@ locals {`
`7`	`7`	`length(var.exclude_projects) > 0`
`8`	`8`	`)`
`9`	`9`
	`10`	`+ # add 'folders/' prefix to the include/exclude folders`
	`11`	`+ prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]`
	`12`	`+ prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]`
	`13`	`+`
`10`	`14`	`# check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it`
`11`	`15`	`check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0`
`12`	`16`