SSPROD-55654 - include/exclude - add deprecation date and allow folderIds (#65)

jose-pablo-camacho · web-flow · commit bb2119e26ff9 · 2025-05-06T12:58:54.000-06:00
* SSPROD-55654 - include/exclude: add deprecation date for management_group_ids var

* SSPROD-55654 - include/exclude: add deprecation date for management_group_ids var

* SSPROD-55654 - include/exclude: add deprecation date for management_group_ids var
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
@@ -2,70 +2,87 @@
 
 This module will deploy Foundational Onboarding resources in GCP for a single project, or for a GCP Organization.
 The Foundational Onboarding module serves the following functions:
+
 - retrieving inventory for single project, or for all projects within an Organization.
 - running organization scraping in the case of organizational onboarding within GCP Organization.
 
 If instrumenting a project, the following resources will be created:
+
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
-- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions.
+- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
+  your behalf to validate resources.
+- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the
+  foundational functions.
 
 If instrumenting an Organziation, the following resources will be created:
+
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
-- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions.
-- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on.
+- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
+  your behalf to validate resources.
+- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve
+  the foundational functions.
+- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure
+  to install Sysdig Secure for Cloud on.
 
 Note:
-- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+
+- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
+  features/integrations modules for subsequent modular installs.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
 ## Requirements
 
-| Name | Version   |
-|------|-----------|
+| Name                                                                      | Version   |
+|---------------------------------------------------------------------------|-----------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
-| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.34.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google)          | >= 4.21.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | >= 1.34.0 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+| Name                                                       | Version |
+|------------------------------------------------------------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0   |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1  |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-| [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
-| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) |
+resource |
+| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) |
+data source |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) |
+data source |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
-| [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
-| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
-| [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) | resource |
-| [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) | resource |
+| [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) |
+resource |
+| [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) |
+resource |
+| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) |
+resource |
+| [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
+resource |
+| [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |
+resource |
 
 ## Inputs
 
-| Name                                                                                          | Description                                                                                                                                                                             | Type          | Default | Required |
-|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)       | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                                                                                   | `bool`        | `false` |    no    |
-| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                                                                                    | `string`      | `""`    |    no    |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                                                                                           | `string`      | n/a     |   yes    |
-| <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated                                                               | `string`      | `null`  |    no    |
-| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                       | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                      | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                       | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                      | `set(string)` | `[]`    |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                     | projects to include for organization. i.e: my-project-id                                                                                                                                | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                     | projects to exclude for organization. i.e: my-project-id                                                                                                                                | `set(string)` | `[]`    |    no    |
-
-
+| Name                                                                                          | Description                                                                                                                                                                                                    | Type          | Default | Required |
+|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)       | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                                                                                                          | `bool`        | `false` |    no    |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                                                                                                           | `string`      | `""`    |    no    |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                                                                                                                  | `string`      | n/a     |   yes    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated                                                                                      | `string`      | `null`  |    no    |
+| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                       | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                                             | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                       | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                                             | `set(string)` | `[]`    |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                     | projects to include for organization. i.e: my-project-id                                                                                                                                                       | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                     | projects to exclude for organization. i.e: my-project-id                                                                                                                                                       | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
@@ -7,6 +7,10 @@ locals {
     length(var.exclude_projects) > 0
   )
 
+  # add 'folders/' prefix to the include/exclude folders
+  prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]
+  prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]
+
   # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
   check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
 
@@ -18,7 +22,7 @@ check "validate_org_configuration_params" {
   assert {
     condition     = length(var.management_group_ids) == 0 # if this condition is false we throw warning
     error_message = <<-EOT
-    WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
+    WARNING: TO BE DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
     EOT
   }
 
@@ -28,7 +32,7 @@ check "validate_org_configuration_params" {
     ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
     ONLY management_group_ids will be considered. Please use only one of the two methods.
 
-    Note: management_group_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
     EOT
   }
 }
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
@@ -32,8 +32,8 @@ resource "sysdig_secure_organization" "google_organization" {
   management_account_id          = sysdig_secure_cloud_auth_account.google_account.id
   organizational_unit_ids        = local.check_old_management_group_ids_param ? var.management_group_ids : []
   organization_root_id           = local.root_org[0]
-  included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
-  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders
+  included_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_include_folders
+  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders
   included_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.include_projects
   excluded_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.exclude_projects
   depends_on = [
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
@@ -17,8 +17,8 @@ variable "organization_domain" {
 
 variable "management_group_ids" {
   description = <<-EOF
-    TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.
-    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded.
+    TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
+    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded. e.g. ["organizations/123456789012"], ["folders/123456789012"]
     Default: onboard all folders.
     EOF
   type        = set(string)
@@ -32,13 +32,13 @@ variable "suffix" {
 }
 
 variable "include_folders" {
-  description = "(Optional) folders to include for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+  description = "(Optional) folders to include for organization in the format '[{folder_id_one}, {folder_id_two}]' i.e: '[\"123456789012\", \"123456789012\"]'"
   type        = set(string)
   default     = []
 }
 
 variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+  description = "(Optional) folders to exclude for organization in the format '[{folder_id_one}, {folder_id_two}]' i.e: '[\"123456789012\", \"123456789012\"]'"
   type        = set(string)
   default     = []
 }
diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -27,7 +27,7 @@ module "onboarding" {
   # management_group_ids = ["folders/123456789012"]
 
   # include/exclude parameters
-  include_folders = ["folders/123456789012"]
+  include_folders = ["123456789012", "12345678911"]
   exclude_folders = []
   include_projects = ["<project-id-1>", "<project-id-2>"]
   exclude_projects = ["<project-id-3>", "<project-id-4>"]

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,10 @@ locals {`
`7`	`7`	`length(var.exclude_projects) > 0`
`8`	`8`	`)`
`9`	`9`
	`10`	`+ # add 'folders/' prefix to the include/exclude folders`
	`11`	`+ prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]`
	`12`	`+ prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]`
	`13`	`+`
`10`	`14`	`# check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it`
`11`	`15`	`check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0`
`12`	`16`
`@@ -18,7 +22,7 @@ check "validate_org_configuration_params" {`
`18`	`22`	`assert {`
`19`	`23`	`condition = length(var.management_group_ids) == 0 # if this condition is false we throw warning`
`20`	`24`	`error_message = <<-EOT`
`21`		`- WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.`
	`25`	`+ WARNING: TO BE DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.`
`22`	`26`	`EOT`
`23`	`27`	`}`
`24`	`28`
`@@ -28,7 +32,7 @@ check "validate_org_configuration_params" {`
`28`	`32`	`ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,`
`29`	`33`	`ONLY management_group_ids will be considered. Please use only one of the two methods.`
`30`	`34`
`31`		`- Note: management_group_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.`
	`35`	`+ Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.`
`32`	`36`	`EOT`
`33`	`37`	`}`
`34`	`38`	`}`