From e2e70e70e1fc2ec81493eda1697ee1d35ada6ecc Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Mon, 21 Apr 2025 20:29:04 -0600
Subject: [PATCH 1/5] SSPROD-55652 - feat: add support for include/exclude
 params

---
 modules/agentless-scan/README.md          | 18 +++++++-----
 modules/agentless-scan/variables.tf       | 24 ++++++++++++++++
 modules/config-posture/README.md          | 18 +++++++-----
 modules/config-posture/variables.tf       | 24 ++++++++++++++++
 modules/integrations/pub-sub/README.md    |  4 +++
 modules/integrations/pub-sub/test.log     | 30 ++++++++++++++++++++
 modules/integrations/pub-sub/variables.tf | 24 ++++++++++++++++
 modules/onboarding/README.md              | 23 ++++++++++-----
 modules/onboarding/locals.tf              | 34 +++++++++++++++++++++++
 modules/onboarding/organizational.tf      |  9 ++++--
 modules/onboarding/outputs.tf             | 20 +++++++++++++
 modules/onboarding/variables.tf           | 30 +++++++++++++++++++-
 modules/vm-workload-scanning/README.md    | 19 ++++++++-----
 modules/vm-workload-scanning/variables.tf | 24 ++++++++++++++++
 14 files changed, 270 insertions(+), 31 deletions(-)
 create mode 100644 modules/integrations/pub-sub/test.log
 create mode 100644 modules/onboarding/locals.tf

diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
index acd02b5..0b37cdb 100644
--- a/modules/agentless-scan/README.md
+++ b/modules/agentless-scan/README.md
@@ -71,13 +71,17 @@ No modules.
 
 ## Inputs
 
-| Name                                                                                                                 | Description                                                                                                                                                                                                                                               | Type           | Default                     | Required |
-|----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------------------------|:--------:|
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                   | GCP Project ID                                                                                                                                                                                                                                            | `string`       | n/a                         |   yes    |
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                              | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped                                                                                                                                                | `bool`         | `false`                     |    no    |
-| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                        | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`       | `null`                      |    no    |
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`       | `null`                      |    no    |
-| <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                 | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`       | `null`                      |    no    |
+| Name                                                                                                             | Description                                                                                                                                                                                                                                               | Type          | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                               | GCP Project ID                                                                                                                                                                                                                                            | `string`      | n/a     |   yes    |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped                                                                                                                                                | `bool`        | `false` |    no    |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                    | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`      | `null`  |    no    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`      | `null`  |    no    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`      | `null`  |    no    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                          | folders to include for organization                                                                                                                                                                                                                       | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                          | folders to exclude for organization                                                                                                                                                                                                                       | `set(string)` | `[]`    |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                        | projects to include for organization                                                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                        | projects to exclude for organization                                                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 
diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
index c8ef09d..2a55bfc 100644
--- a/modules/agentless-scan/variables.tf
+++ b/modules/agentless-scan/variables.tf
@@ -25,3 +25,27 @@ variable "suffix" {
   description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated."
   default     = null
 }
+
+variable "include_folders" {
+  description = "(Optional) folders to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_folders" {
+  description = "(Optional) folders to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_projects" {
+  description = "(Optional) projects to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_projects" {
+  description = "(Optional) projects to exclude for organization"
+  type        = set(string)
+  default     = []
+}
\ No newline at end of file
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 8ad48fc..4285807 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -55,13 +55,17 @@ No modules.
 
 ## Inputs
 
-| Name                                                                                                             | Description                                                                                                               | Type | Default                                       | Required |
-|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:|
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool` | `false`                                       |    no    |
-| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                    | Organization domain. e.g. sysdig.com                                                                                      | `string` | `""`                                          |    no    |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                               | (Required) Target Project identifier provided by the customer                                                             | `string` | n/a                                           |   yes    |
-| <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null`                                        |    no    |
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation                                 | `string` | n/a                                           |   yes    |
+| Name                                                                                                             | Description                                                                                                               | Type          | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool`        | `false` |    no    |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                    | Organization domain. e.g. sysdig.com                                                                                      | `string`      | `""`    |    no    |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                               | (Required) Target Project identifier provided by the customer                                                             | `string`      | n/a     |   yes    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string`      | `null`  |    no    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation                                 | `string`      | n/a     |   yes    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                          | folders to include for organization                                                                                       | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                          | folders to exclude for organization                                                                                       | `set(string)` | `[]`    |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                        | projects to include for organization                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                        | projects to exclude for organization                                                                                      | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index b975bc2..a45e334 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -24,4 +24,28 @@ variable "suffix" {
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
+}
+
+variable "include_folders" {
+  description = "(Optional) folders to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_folders" {
+  description = "(Optional) folders to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_projects" {
+  description = "(Optional) projects to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_projects" {
+  description = "(Optional) projects to exclude for organization"
+  type        = set(string)
+  default     = []
 }
\ No newline at end of file
diff --git a/modules/integrations/pub-sub/README.md b/modules/integrations/pub-sub/README.md
index 27d53a6..fd017ea 100644
--- a/modules/integrations/pub-sub/README.md
+++ b/modules/integrations/pub-sub/README.md
@@ -90,6 +90,10 @@ No modules.
 | <a name="ingestion_sink_filter"></a> [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter)                      | Filter the Sink is set up with. Ingests AuditLogs by default.                                                                        | `string`                                                                                                                                                                                       | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"`                                                                                                                                                                                                        |    no    |
 | <a name="input_exclude_logs_filter"></a> [exclude\_logs\_filter](#input\_exclude\_logs\_filter)                      | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions.                | <pre>list(object({<br>    name        = string,<br>    description = optional(string),<br>    filter      = string,<br>    disabled    = optional(bool)<br>  }))</pre>                         | `[]`                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)  | `string`                                                                                                                                                                                       | `""`                                                                                                                                                                                                                                                                            |    no    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                              | folders to include for organization                                                                                                  | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                              | folders to exclude for organization                                                                                                  | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                            | projects to include for organization                                                                                                 | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                            | projects to exclude for organization                                                                                                 | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
 
 ## Outputs
 
diff --git a/modules/integrations/pub-sub/test.log b/modules/integrations/pub-sub/test.log
new file mode 100644
index 0000000..b9dc9bb
--- /dev/null
+++ b/modules/integrations/pub-sub/test.log
@@ -0,0 +1,30 @@
+2024-10-16T03:29:17.754-0600 [INFO]  Terraform version: 1.5.7
+2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
+2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
+2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
+2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/zclconf/go-cty v1.12.2
+2024-10-16T03:29:17.754-0600 [INFO]  Go runtime version: go1.22.2
+2024-10-16T03:29:17.754-0600 [INFO]  CLI args: []string{"terraform", "fmt"}
+2024-10-16T03:29:17.754-0600 [DEBUG] Attempting to open CLI config file: /Users/jose.camacho/.terraformrc
+2024-10-16T03:29:17.754-0600 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
+2024-10-16T03:29:17.755-0600 [DEBUG] checking for credentials in "/Users/jose.camacho/.terraform.d/plugins"
+2024-10-16T03:29:17.755-0600 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
+2024-10-16T03:29:17.755-0600 [DEBUG] will search for provider plugins in /Users/jose.camacho/.terraform.d/plugins
+2024-10-16T03:29:17.756-0600 [DEBUG] ignoring non-existing provider search directory /Users/jose.camacho/Library/Application Support/io.terraform/plugins
+2024-10-16T03:29:17.756-0600 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
+2024-10-16T03:29:17.757-0600 [INFO]  CLI command args: []string{"fmt"}
+2024-10-16T13:30:53.059-0600 [INFO]  Terraform version: 1.5.7
+2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
+2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
+2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
+2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/zclconf/go-cty v1.12.2
+2024-10-16T13:30:53.060-0600 [INFO]  Go runtime version: go1.22.2
+2024-10-16T13:30:53.060-0600 [INFO]  CLI args: []string{"terraform", "fmt"}
+2024-10-16T13:30:53.060-0600 [DEBUG] Attempting to open CLI config file: /Users/jose.camacho/.terraformrc
+2024-10-16T13:30:53.060-0600 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
+2024-10-16T13:30:53.060-0600 [DEBUG] checking for credentials in "/Users/jose.camacho/.terraform.d/plugins"
+2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
+2024-10-16T13:30:53.061-0600 [DEBUG] will search for provider plugins in /Users/jose.camacho/.terraform.d/plugins
+2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory /Users/jose.camacho/Library/Application Support/io.terraform/plugins
+2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
+2024-10-16T13:30:53.062-0600 [INFO]  CLI command args: []string{"fmt"}
diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf
index 6cf397b..da622cd 100644
--- a/modules/integrations/pub-sub/variables.tf
+++ b/modules/integrations/pub-sub/variables.tf
@@ -100,4 +100,28 @@ variable "ingestion_sink_filter" {
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
+}
+
+variable "include_folders" {
+  description = "(Optional) folders to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_folders" {
+  description = "(Optional) folders to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_projects" {
+  description = "(Optional) projects to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_projects" {
+  description = "(Optional) projects to exclude for organization"
+  type        = set(string)
+  default     = []
 }
\ No newline at end of file
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index d865008..dd1e3bf 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -53,13 +53,17 @@ No modules.
 
 ## Inputs
 
-| Name                                                                                          | Description                                                                                                               | Type | Default | Required |
-|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)       | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool` | `false` | no |
-| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                      | `string` | `""` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                             | `string` | n/a | yes |
-| <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
-| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | (Optional) List of management group ids w.r.t an org install. If not provided, set to empty by default                    | `string` | `null` | no |
+| Name                                                                                          | Description                                                                                                                                                                             | Type          | Default | Required |
+|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)       | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                                                                                   | `bool`        | `false` |    no    |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                                                                                    | `string`      | `""`    |    no    |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                                                                                           | `string`      | n/a     |   yes    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated                                                               | `string`      | `null`  |    no    |
+| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                       | folders to include for organization                                                                                                                                                     | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                       | folders to exclude for organization                                                                                                                                                     | `set(string)` | `[]`    |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                     | projects to include for organization                                                                                                                                                    | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                     | projects to exclude for organization                                                                                                                                                    | `set(string)` | `[]`    |    no    |
 
 
 
@@ -71,6 +75,11 @@ No modules.
 | <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational)                          | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
 | <a name="output_organization_domain"></a> [organization\_domain](#output\_organization\_domain)                    | Organization domain of the GCP org being onboarded                                             |
 | <a name="output_project_id"></a> [project\_id](#output\_project\_id)                                               | The management project id chosen during install, where global resources are deployed           |
+| <a name="output_include_folders"></a> [suffix](#output\_include\_folders)                                          | folders to include for organization                                                            |
+| <a name="output_exclude_folders"></a> [suffix](#output\_exclude\_folders)                                          | folders to exclude for organization                                                            |
+| <a name="output_include_projects"></a> [suffix](#output\_include\_projects)                                        | projects to include for organization                                                           |
+| <a name="output_exclude_projects"></a> [suffix](#output\_exclude\_projects)                                        | projects to exclude for organization                                                           |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
new file mode 100644
index 0000000..ed60fe1
--- /dev/null
+++ b/modules/onboarding/locals.tf
@@ -0,0 +1,34 @@
+locals {
+  # check if both old and new include/exclude org parameters are used, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
+  length(var.include_folders) > 0 ||
+  length(var.exclude_folders) > 0 ||
+  length(var.include_projects) > 0 ||
+  length(var.exclude_projects) > 0
+  )
+
+  # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
+
+  # fetch the GCP root org
+  root_org = var.is_organizational ? [data.google_organization.org[0].org_id] : []
+}
+
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.management_group_ids) == 0  # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
+    ONLY management_group_ids will be considered. Please use only one of the two methods.
+
+    Note: management_group_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}
\ No newline at end of file
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 3c5f403..a65b0ca 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -29,8 +29,13 @@ resource "google_organization_iam_member" "browser" {
 resource "sysdig_secure_organization" "google_organization" {
   count = var.is_organizational ? 1 : 0
 
-  management_account_id   = sysdig_secure_cloud_auth_account.google_account.id
-  organizational_unit_ids = var.management_group_ids
+  management_account_id          = sysdig_secure_cloud_auth_account.google_account.id
+  organizational_unit_ids        = var.management_group_ids
+  organization_root_id           = local.root_org[0]
+  included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
+  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders
+  included_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.include_projects
+  excluded_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.exclude_projects
   depends_on = [
     google_organization_iam_member.browser,
     sysdig_secure_cloud_auth_account.google_account
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
index 7db7f22..84c3a09 100644
--- a/modules/onboarding/outputs.tf
+++ b/modules/onboarding/outputs.tf
@@ -17,3 +17,23 @@ output "organization_domain" {
   value       = var.organization_domain
   description = "Organization domain. e.g. sysdig.com"
 }
+
+output "include_folders" {
+  description = "folders to include for organization"
+  value       = var.include_folders
+}
+
+output "exclude_folders" {
+  description = "folders to exclude for organization"
+  value       = var.exclude_folders
+}
+
+output "include_projects" {
+  description = "projects to include for organization"
+  value       = var.include_projects
+}
+
+output "exclude_projects" {
+  description = "projects to exclude for organization"
+  value       = var.exclude_projects
+}
\ No newline at end of file
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index 9571e7e..6fafb71 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -16,8 +16,12 @@ variable "organization_domain" {
 }
 
 variable "management_group_ids" {
+  description = <<-EOF
+    TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.
+    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded.
+    Default: onboard all folders.
+    EOF
   type        = set(string)
-  description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]"
   default     = []
 }
 
@@ -25,4 +29,28 @@ variable "suffix" {
   type        = string
   description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
   default     = null
+}
+
+variable "include_folders" {
+  description = "(Optional) folders to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_folders" {
+  description = "(Optional) folders to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_projects" {
+  description = "(Optional) projects to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_projects" {
+  description = "(Optional) projects to exclude for organization"
+  type        = set(string)
+  default     = []
 }
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index d1ac2e1..9942f54 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -41,13 +41,18 @@ No modules.
 
 ### Inputs
 
-| Name | Description                                                                                                                      | Type | Default | Required |
-|------|----------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| project_id | GCP Project ID                                                                                                                   | string | n/a | yes |
-| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization.                                                      | bool | false | no |
-| organization_domain | (Optional) Organization domain. e.g. sysdig.com                                                                                  | string | "" | no |
-| role_name | Name for the Worker Role on the Customer infrastructure                                                                          | string | "SysdigAgentlessWorkloadRole" | no |
-| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string | n/a | yes |
+| Name                                                                      | Description                                                                                                                      | Type          | Default                       | Required |
+|---------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------|:--------:|
+| project_id                                                                | GCP Project ID                                                                                                                   | string        | n/a                           |   yes    |
+| is_organizational                                                         | Set this field to 'true' to deploy workload scanning to a GCP Organization.                                                      | bool          | false                         |    no    |
+| organization_domain                                                       | (Optional) Organization domain. e.g. sysdig.com                                                                                  | string        | ""                            |    no    |
+| role_name                                                                 | Name for the Worker Role on the Customer infrastructure                                                                          | string        | "SysdigAgentlessWorkloadRole" |    no    |
+| sysdig_secure_account_id                                                  | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string        | n/a                           |   yes    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)   | folders to include for organization                                                                                              | `set(string)` | `[]`                          |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)   | folders to exclude for organization                                                                                              | `set(string)` | `[]`                          |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects) | projects to include for organization                                                                                             | `set(string)` | `[]`                          |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects) | projects to exclude for organization                                                                                             | `set(string)` | `[]`                          |    no    |
+
 
 ### Outputs
 
diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf
index c904eec..0dcdaa1 100644
--- a/modules/vm-workload-scanning/variables.tf
+++ b/modules/vm-workload-scanning/variables.tf
@@ -26,3 +26,27 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
 }
+
+variable "include_folders" {
+  description = "(Optional) folders to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_folders" {
+  description = "(Optional) folders to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_projects" {
+  description = "(Optional) projects to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_projects" {
+  description = "(Optional) projects to exclude for organization"
+  type        = set(string)
+  default     = []
+}
\ No newline at end of file

From 86b1dc62c4ecaa63f6f967d6bfe7fd00ac7016b6 Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Mon, 21 Apr 2025 20:55:22 -0600
Subject: [PATCH 2/5] SSPROD-55652 - feat: add support for include/exclude
 params

---
 modules/agentless-scan/README.md          |  4 ---
 modules/agentless-scan/variables.tf       | 24 ------------------
 modules/config-posture/README.md          |  4 ---
 modules/config-posture/variables.tf       | 24 ------------------
 modules/integrations/pub-sub/README.md    |  4 ---
 modules/integrations/pub-sub/test.log     | 30 -----------------------
 modules/integrations/pub-sub/variables.tf | 24 ------------------
 modules/onboarding/locals.tf              | 12 ++++-----
 modules/vm-workload-scanning/README.md    |  5 ----
 modules/vm-workload-scanning/variables.tf | 24 ------------------
 10 files changed, 6 insertions(+), 149 deletions(-)
 delete mode 100644 modules/integrations/pub-sub/test.log

diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
index 0b37cdb..e0ea595 100644
--- a/modules/agentless-scan/README.md
+++ b/modules/agentless-scan/README.md
@@ -78,10 +78,6 @@ No modules.
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                    | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`      | `null`  |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`      | `null`  |    no    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`      | `null`  |    no    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                          | folders to include for organization                                                                                                                                                                                                                       | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                          | folders to exclude for organization                                                                                                                                                                                                                       | `set(string)` | `[]`    |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                        | projects to include for organization                                                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                        | projects to exclude for organization                                                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 
diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
index 2a55bfc..c8ef09d 100644
--- a/modules/agentless-scan/variables.tf
+++ b/modules/agentless-scan/variables.tf
@@ -25,27 +25,3 @@ variable "suffix" {
   description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated."
   default     = null
 }
-
-variable "include_folders" {
-  description = "(Optional) folders to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "include_projects" {
-  description = "(Optional) projects to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_projects" {
-  description = "(Optional) projects to exclude for organization"
-  type        = set(string)
-  default     = []
-}
\ No newline at end of file
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 4285807..097e46b 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -62,10 +62,6 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                               | (Required) Target Project identifier provided by the customer                                                             | `string`      | n/a     |   yes    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string`      | `null`  |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation                                 | `string`      | n/a     |   yes    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                          | folders to include for organization                                                                                       | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                          | folders to exclude for organization                                                                                       | `set(string)` | `[]`    |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                        | projects to include for organization                                                                                      | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                        | projects to exclude for organization                                                                                      | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index a45e334..7864843 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -25,27 +25,3 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
 }
-
-variable "include_folders" {
-  description = "(Optional) folders to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "include_projects" {
-  description = "(Optional) projects to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_projects" {
-  description = "(Optional) projects to exclude for organization"
-  type        = set(string)
-  default     = []
-}
\ No newline at end of file
diff --git a/modules/integrations/pub-sub/README.md b/modules/integrations/pub-sub/README.md
index fd017ea..27d53a6 100644
--- a/modules/integrations/pub-sub/README.md
+++ b/modules/integrations/pub-sub/README.md
@@ -90,10 +90,6 @@ No modules.
 | <a name="ingestion_sink_filter"></a> [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter)                      | Filter the Sink is set up with. Ingests AuditLogs by default.                                                                        | `string`                                                                                                                                                                                       | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"`                                                                                                                                                                                                        |    no    |
 | <a name="input_exclude_logs_filter"></a> [exclude\_logs\_filter](#input\_exclude\_logs\_filter)                      | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions.                | <pre>list(object({<br>    name        = string,<br>    description = optional(string),<br>    filter      = string,<br>    disabled    = optional(bool)<br>  }))</pre>                         | `[]`                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)  | `string`                                                                                                                                                                                       | `""`                                                                                                                                                                                                                                                                            |    no    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                              | folders to include for organization                                                                                                  | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                              | folders to exclude for organization                                                                                                  | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                            | projects to include for organization                                                                                                 | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                                            | projects to exclude for organization                                                                                                 | `set(string)`                                                                                                                                                                                  | `[]`                                                                                                                                                                                                                                                                            |    no    |
 
 ## Outputs
 
diff --git a/modules/integrations/pub-sub/test.log b/modules/integrations/pub-sub/test.log
deleted file mode 100644
index b9dc9bb..0000000
--- a/modules/integrations/pub-sub/test.log
+++ /dev/null
@@ -1,30 +0,0 @@
-2024-10-16T03:29:17.754-0600 [INFO]  Terraform version: 1.5.7
-2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
-2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
-2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
-2024-10-16T03:29:17.754-0600 [DEBUG] using github.com/zclconf/go-cty v1.12.2
-2024-10-16T03:29:17.754-0600 [INFO]  Go runtime version: go1.22.2
-2024-10-16T03:29:17.754-0600 [INFO]  CLI args: []string{"terraform", "fmt"}
-2024-10-16T03:29:17.754-0600 [DEBUG] Attempting to open CLI config file: /Users/jose.camacho/.terraformrc
-2024-10-16T03:29:17.754-0600 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
-2024-10-16T03:29:17.755-0600 [DEBUG] checking for credentials in "/Users/jose.camacho/.terraform.d/plugins"
-2024-10-16T03:29:17.755-0600 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
-2024-10-16T03:29:17.755-0600 [DEBUG] will search for provider plugins in /Users/jose.camacho/.terraform.d/plugins
-2024-10-16T03:29:17.756-0600 [DEBUG] ignoring non-existing provider search directory /Users/jose.camacho/Library/Application Support/io.terraform/plugins
-2024-10-16T03:29:17.756-0600 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
-2024-10-16T03:29:17.757-0600 [INFO]  CLI command args: []string{"fmt"}
-2024-10-16T13:30:53.059-0600 [INFO]  Terraform version: 1.5.7
-2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
-2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
-2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
-2024-10-16T13:30:53.060-0600 [DEBUG] using github.com/zclconf/go-cty v1.12.2
-2024-10-16T13:30:53.060-0600 [INFO]  Go runtime version: go1.22.2
-2024-10-16T13:30:53.060-0600 [INFO]  CLI args: []string{"terraform", "fmt"}
-2024-10-16T13:30:53.060-0600 [DEBUG] Attempting to open CLI config file: /Users/jose.camacho/.terraformrc
-2024-10-16T13:30:53.060-0600 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
-2024-10-16T13:30:53.060-0600 [DEBUG] checking for credentials in "/Users/jose.camacho/.terraform.d/plugins"
-2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
-2024-10-16T13:30:53.061-0600 [DEBUG] will search for provider plugins in /Users/jose.camacho/.terraform.d/plugins
-2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory /Users/jose.camacho/Library/Application Support/io.terraform/plugins
-2024-10-16T13:30:53.061-0600 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
-2024-10-16T13:30:53.062-0600 [INFO]  CLI command args: []string{"fmt"}
diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf
index da622cd..e490efa 100644
--- a/modules/integrations/pub-sub/variables.tf
+++ b/modules/integrations/pub-sub/variables.tf
@@ -101,27 +101,3 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
 }
-
-variable "include_folders" {
-  description = "(Optional) folders to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "include_projects" {
-  description = "(Optional) projects to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_projects" {
-  description = "(Optional) projects to exclude for organization"
-  type        = set(string)
-  default     = []
-}
\ No newline at end of file
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index ed60fe1..363f866 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -1,10 +1,10 @@
 locals {
   # check if both old and new include/exclude org parameters are used, we fail early
   both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
-  length(var.include_folders) > 0 ||
-  length(var.exclude_folders) > 0 ||
-  length(var.include_projects) > 0 ||
-  length(var.exclude_projects) > 0
+    length(var.include_folders) > 0 ||
+    length(var.exclude_folders) > 0 ||
+    length(var.include_projects) > 0 ||
+    length(var.exclude_projects) > 0
   )
 
   # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
@@ -16,14 +16,14 @@ locals {
 
 check "validate_org_configuration_params" {
   assert {
-    condition     = length(var.management_group_ids) == 0  # if this condition is false we throw warning
+    condition     = length(var.management_group_ids) == 0 # if this condition is false we throw warning
     error_message = <<-EOT
     WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
     EOT
   }
 
   assert {
-    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    condition     = !local.both_org_configuration_params # if this condition is false we throw error
     error_message = <<-EOT
     ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
     ONLY management_group_ids will be considered. Please use only one of the two methods.
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index 9942f54..aea0677 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -48,11 +48,6 @@ No modules.
 | organization_domain                                                       | (Optional) Organization domain. e.g. sysdig.com                                                                                  | string        | ""                            |    no    |
 | role_name                                                                 | Name for the Worker Role on the Customer infrastructure                                                                          | string        | "SysdigAgentlessWorkloadRole" |    no    |
 | sysdig_secure_account_id                                                  | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string        | n/a                           |   yes    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)   | folders to include for organization                                                                                              | `set(string)` | `[]`                          |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)   | folders to exclude for organization                                                                                              | `set(string)` | `[]`                          |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects) | projects to include for organization                                                                                             | `set(string)` | `[]`                          |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects) | projects to exclude for organization                                                                                             | `set(string)` | `[]`                          |    no    |
-
 
 ### Outputs
 
diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf
index 0dcdaa1..c904eec 100644
--- a/modules/vm-workload-scanning/variables.tf
+++ b/modules/vm-workload-scanning/variables.tf
@@ -26,27 +26,3 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
 }
-
-variable "include_folders" {
-  description = "(Optional) folders to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "include_projects" {
-  description = "(Optional) projects to include for organization"
-  type        = set(string)
-  default     = []
-}
-
-variable "exclude_projects" {
-  description = "(Optional) projects to exclude for organization"
-  type        = set(string)
-  default     = []
-}
\ No newline at end of file

From 9cb623bbaf03a742be118486def1196e682ea01b Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Tue, 22 Apr 2025 17:02:06 -0600
Subject: [PATCH 3/5] SSPROD-55652 - feat: add support for include/exclude
 params

---
 modules/onboarding/locals.tf         | 2 +-
 modules/onboarding/organizational.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index 363f866..61ae251 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -11,7 +11,7 @@ locals {
   check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
 
   # fetch the GCP root org
-  root_org = var.is_organizational ? [data.google_organization.org[0].org_id] : []
+  root_org = var.is_organizational ? [data.google_organization.org[0].name] : []
 }
 
 check "validate_org_configuration_params" {
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index a65b0ca..29a07ad 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -30,7 +30,7 @@ resource "sysdig_secure_organization" "google_organization" {
   count = var.is_organizational ? 1 : 0
 
   management_account_id          = sysdig_secure_cloud_auth_account.google_account.id
-  organizational_unit_ids        = var.management_group_ids
+  organizational_unit_ids        = local.check_old_management_group_ids_param ? var.management_group_ids : []
   organization_root_id           = local.root_org[0]
   included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
   excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders

From dbb94897b8e058c9ba2f4269c93ad41492f93960 Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Tue, 22 Apr 2025 17:05:47 -0600
Subject: [PATCH 4/5] SSPROD-55652 - feat: add support for include/exclude
 params

---
 modules/onboarding/README.md    | 8 ++++----
 modules/onboarding/variables.tf | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index dd1e3bf..3af445e 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -60,10 +60,10 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                                                                                           | `string`      | n/a     |   yes    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated                                                               | `string`      | `null`  |    no    |
 | <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
-| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                       | folders to include for organization                                                                                                                                                     | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                       | folders to exclude for organization                                                                                                                                                     | `set(string)` | `[]`    |    no    |
-| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                     | projects to include for organization                                                                                                                                                    | `set(string)` | `[]`    |    no    |
-| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                     | projects to exclude for organization                                                                                                                                                    | `set(string)` | `[]`    |    no    |
+| <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                       | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                       | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                     | projects to include for organization. i.e: my-project-id                                                                                                                                | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects)                     | projects to exclude for organization. i.e: my-project-id                                                                                                                                | `set(string)` | `[]`    |    no    |
 
 
 
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index 6fafb71..1b9ae3c 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -32,25 +32,25 @@ variable "suffix" {
 }
 
 variable "include_folders" {
-  description = "(Optional) folders to include for organization"
+  description = "(Optional) folders to include for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
   type        = set(string)
   default     = []
 }
 
 variable "exclude_folders" {
-  description = "(Optional) folders to exclude for organization"
+  description = "(Optional) folders to exclude for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
   type        = set(string)
   default     = []
 }
 
 variable "include_projects" {
-  description = "(Optional) projects to include for organization"
+  description = "(Optional) projects id to include for organization i.e: my-project-id"
   type        = set(string)
   default     = []
 }
 
 variable "exclude_projects" {
-  description = "(Optional) projects to exclude for organization"
+  description = "(Optional) projects id to exclude for organization i.e: my-project-id"
   type        = set(string)
   default     = []
 }
\ No newline at end of file

From a4641ff3506048bbf1962cbe880bcdfea0fdfba8 Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Thu, 24 Apr 2025 09:42:13 -0600
Subject: [PATCH 5/5] SSPROD-55652 - feat: add support for include/exclude
 params

---
 .../modular_organization/onboarding_with_posture.tf   | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
index 3b73142..9149510 100644
--- a/test/examples/modular_organization/onboarding_with_posture.tf
+++ b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -22,6 +22,15 @@ module "onboarding" {
   project_id          = "org-child-project-3"
   is_organizational   = true
   organization_domain = "draios.com"
+
+  # legacy include/exclude org install params
+  # management_group_ids = ["folders/123456789012"]
+
+  # include/exclude parameters
+  include_folders = ["folders/123456789012"]
+  exclude_folders = []
+  include_projects = ["<project-id-1>", "<project-id-2>"]
+  exclude_projects = ["<project-id-3>", "<project-id-4>"]
 }
 
 module "config-posture" {
@@ -47,7 +56,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic"
   components = [module.config-posture.service_principal_component_id]
   depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture]
   flags = {
-    "CIEM_FEATURE_MODE": "basic"
+    "CIEM_FEATURE_MODE" : "basic"
   }
 
   lifecycle {