Skip to content

SSPROD-55652 - feat: add support for include/exclude params #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 24, 2025
Merged

SSPROD-55652 - feat: add support for include/exclude params #62

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e2e70e7
SSPROD-55652 - feat: add support for include/exclude params
jose-pablo-camacho Apr 22, 2025
86b1dc6
SSPROD-55652 - feat: add support for include/exclude params
jose-pablo-camacho Apr 22, 2025
9cb623b
SSPROD-55652 - feat: add support for include/exclude params
jose-pablo-camacho Apr 22, 2025
dbb9489
SSPROD-55652 - feat: add support for include/exclude params
jose-pablo-camacho Apr 22, 2025
a4641ff
SSPROD-55652 - feat: add support for include/exclude params
jose-pablo-camacho Apr 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions modules/agentless-scan/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,13 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------------------------|:--------:|
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string` | `null` | no |
| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string` | `null` | no |

## Outputs

Expand Down
14 changes: 7 additions & 7 deletions modules/config-posture/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,13 +55,13 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |

## Outputs

Expand Down
2 changes: 1 addition & 1 deletion modules/config-posture/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ variable "suffix" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
}
}
2 changes: 1 addition & 1 deletion modules/integrations/pub-sub/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,4 +100,4 @@ variable "ingestion_sink_filter" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
}
}
23 changes: 16 additions & 7 deletions modules/onboarding/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,17 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids) | (Optional) List of management group ids w.r.t an org install. If not provided, set to empty by default | `string` | `null` | no |
| Name | Description | Type | Default | Required |
|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no |
| <a name="input_include_folders"></a> [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
| <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
| <a name="input_include_projects"></a> [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no |
| <a name="input_exclude_projects"></a> [suffix](#input\_exclude\_projects) | projects to exclude for organization. i.e: my-project-id | `set(string)` | `[]` | no |



Expand All @@ -71,6 +75,11 @@ No modules.
| <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
| <a name="output_organization_domain"></a> [organization\_domain](#output\_organization\_domain) | Organization domain of the GCP org being onboarded |
| <a name="output_project_id"></a> [project\_id](#output\_project\_id) | The management project id chosen during install, where global resources are deployed |
| <a name="output_include_folders"></a> [suffix](#output\_include\_folders) | folders to include for organization |
| <a name="output_exclude_folders"></a> [suffix](#output\_exclude\_folders) | folders to exclude for organization |
| <a name="output_include_projects"></a> [suffix](#output\_include\_projects) | projects to include for organization |
| <a name="output_exclude_projects"></a> [suffix](#output\_exclude\_projects) | projects to exclude for organization |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors
Expand Down
34 changes: 34 additions & 0 deletions modules/onboarding/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
locals {
# check if both old and new include/exclude org parameters are used, we fail early
both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
length(var.include_folders) > 0 ||
length(var.exclude_folders) > 0 ||
length(var.include_projects) > 0 ||
length(var.exclude_projects) > 0
)

# check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0

# fetch the GCP root org
root_org = var.is_organizational ? [data.google_organization.org[0].name] : []
}

check "validate_org_configuration_params" {
assert {
condition = length(var.management_group_ids) == 0 # if this condition is false we throw warning
error_message = <<-EOT
WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
EOT
}

assert {
condition = !local.both_org_configuration_params # if this condition is false we throw error
error_message = <<-EOT
ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
ONLY management_group_ids will be considered. Please use only one of the two methods.

Note: management_group_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
EOT
}
}
9 changes: 7 additions & 2 deletions modules/onboarding/organizational.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,13 @@ resource "google_organization_iam_member" "browser" {
resource "sysdig_secure_organization" "google_organization" {
count = var.is_organizational ? 1 : 0

management_account_id = sysdig_secure_cloud_auth_account.google_account.id
organizational_unit_ids = var.management_group_ids
management_account_id = sysdig_secure_cloud_auth_account.google_account.id
organizational_unit_ids = local.check_old_management_group_ids_param ? var.management_group_ids : []
organization_root_id = local.root_org[0]
included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders
included_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.include_projects
excluded_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.exclude_projects
depends_on = [
google_organization_iam_member.browser,
sysdig_secure_cloud_auth_account.google_account
Expand Down
Loading