diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
index acd02b5..e0ea595 100644
--- a/modules/agentless-scan/README.md
+++ b/modules/agentless-scan/README.md
@@ -71,13 +71,13 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------------------------|:--------:|
-| [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
-| [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
-| [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
-| [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming
(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)
By default a random value will be autogenerated. | `string` | `null` | no |
+| Name | Description | Type | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
+| [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
+| [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
+| [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming
(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)
By default a random value will be autogenerated. | `string` | `null` | no |
## Outputs
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 8ad48fc..097e46b 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -55,13 +55,13 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:|
-| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
-| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
-| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
-| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
+| Name | Description | Type | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
+| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
+| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
+| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
## Outputs
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index b975bc2..7864843 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -24,4 +24,4 @@ variable "suffix" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
-}
\ No newline at end of file
+}
diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf
index 6cf397b..e490efa 100644
--- a/modules/integrations/pub-sub/variables.tf
+++ b/modules/integrations/pub-sub/variables.tf
@@ -100,4 +100,4 @@ variable "ingestion_sink_filter" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
-}
\ No newline at end of file
+}
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index d865008..3af445e 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -53,13 +53,17 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
-| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
-| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
-| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
-| [suffix](#input\_management\_group\_ids) | (Optional) List of management group ids w.r.t an org install. If not provided, set to empty by default | `string` | `null` | no |
+| Name | Description | Type | Default | Required |
+|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
+| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
+| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
+| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
+| [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.
List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no |
+| [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
+| [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
+| [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no |
+| [suffix](#input\_exclude\_projects) | projects to exclude for organization. i.e: my-project-id | `set(string)` | `[]` | no |
@@ -71,6 +75,11 @@ No modules.
| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
| [organization\_domain](#output\_organization\_domain) | Organization domain of the GCP org being onboarded |
| [project\_id](#output\_project\_id) | The management project id chosen during install, where global resources are deployed |
+| [suffix](#output\_include\_folders) | folders to include for organization |
+| [suffix](#output\_exclude\_folders) | folders to exclude for organization |
+| [suffix](#output\_include\_projects) | projects to include for organization |
+| [suffix](#output\_exclude\_projects) | projects to exclude for organization |
+
## Authors
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
new file mode 100644
index 0000000..61ae251
--- /dev/null
+++ b/modules/onboarding/locals.tf
@@ -0,0 +1,34 @@
+locals {
+ # check if both old and new include/exclude org parameters are used, we fail early
+ both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
+ length(var.include_folders) > 0 ||
+ length(var.exclude_folders) > 0 ||
+ length(var.include_projects) > 0 ||
+ length(var.exclude_projects) > 0
+ )
+
+ # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
+ check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
+
+ # fetch the GCP root org
+ root_org = var.is_organizational ? [data.google_organization.org[0].name] : []
+}
+
+check "validate_org_configuration_params" {
+ assert {
+ condition = length(var.management_group_ids) == 0 # if this condition is false we throw warning
+ error_message = <<-EOT
+ WARNING: TO BE DEPRECATED 'management_group_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
+ EOT
+ }
+
+ assert {
+ condition = !local.both_org_configuration_params # if this condition is false we throw error
+ error_message = <<-EOT
+ ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
+ ONLY management_group_ids will be considered. Please use only one of the two methods.
+
+ Note: management_group_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ EOT
+ }
+}
\ No newline at end of file
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 3c5f403..29a07ad 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -29,8 +29,13 @@ resource "google_organization_iam_member" "browser" {
resource "sysdig_secure_organization" "google_organization" {
count = var.is_organizational ? 1 : 0
- management_account_id = sysdig_secure_cloud_auth_account.google_account.id
- organizational_unit_ids = var.management_group_ids
+ management_account_id = sysdig_secure_cloud_auth_account.google_account.id
+ organizational_unit_ids = local.check_old_management_group_ids_param ? var.management_group_ids : []
+ organization_root_id = local.root_org[0]
+ included_organizational_groups = local.check_old_management_group_ids_param ? [] : var.include_folders
+ excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : var.exclude_folders
+ included_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.include_projects
+ excluded_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.exclude_projects
depends_on = [
google_organization_iam_member.browser,
sysdig_secure_cloud_auth_account.google_account
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
index 7db7f22..84c3a09 100644
--- a/modules/onboarding/outputs.tf
+++ b/modules/onboarding/outputs.tf
@@ -17,3 +17,23 @@ output "organization_domain" {
value = var.organization_domain
description = "Organization domain. e.g. sysdig.com"
}
+
+output "include_folders" {
+ description = "folders to include for organization"
+ value = var.include_folders
+}
+
+output "exclude_folders" {
+ description = "folders to exclude for organization"
+ value = var.exclude_folders
+}
+
+output "include_projects" {
+ description = "projects to include for organization"
+ value = var.include_projects
+}
+
+output "exclude_projects" {
+ description = "projects to exclude for organization"
+ value = var.exclude_projects
+}
\ No newline at end of file
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index 9571e7e..1b9ae3c 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -16,8 +16,12 @@ variable "organization_domain" {
}
variable "management_group_ids" {
+ description = <<-EOF
+ TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_folders` instead.
+ When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded.
+ Default: onboard all folders.
+ EOF
type = set(string)
- description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]"
default = []
}
@@ -25,4 +29,28 @@ variable "suffix" {
type = string
description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
default = null
+}
+
+variable "include_folders" {
+ description = "(Optional) folders to include for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+ type = set(string)
+ default = []
+}
+
+variable "exclude_folders" {
+ description = "(Optional) folders to exclude for organization in the format 'folders/{folder_id}' i.e: folders/123456789012"
+ type = set(string)
+ default = []
+}
+
+variable "include_projects" {
+ description = "(Optional) projects id to include for organization i.e: my-project-id"
+ type = set(string)
+ default = []
+}
+
+variable "exclude_projects" {
+ description = "(Optional) projects id to exclude for organization i.e: my-project-id"
+ type = set(string)
+ default = []
}
\ No newline at end of file
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index adb6e1a..807c866 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -8,7 +8,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
- version = ">= 1.34.0"
+ version = ">= 1.34"
}
random = {
source = "hashicorp/random"
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index d1ac2e1..aea0677 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -41,13 +41,13 @@ No modules.
### Inputs
-| Name | Description | Type | Default | Required |
-|------|----------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| project_id | GCP Project ID | string | n/a | yes |
-| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization. | bool | false | no |
-| organization_domain | (Optional) Organization domain. e.g. sysdig.com | string | "" | no |
-| role_name | Name for the Worker Role on the Customer infrastructure | string | "SysdigAgentlessWorkloadRole" | no |
-| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string | n/a | yes |
+| Name | Description | Type | Default | Required |
+|---------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------|:--------:|
+| project_id | GCP Project ID | string | n/a | yes |
+| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization. | bool | false | no |
+| organization_domain | (Optional) Organization domain. e.g. sysdig.com | string | "" | no |
+| role_name | Name for the Worker Role on the Customer infrastructure | string | "SysdigAgentlessWorkloadRole" | no |
+| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string | n/a | yes |
### Outputs
diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
index 3b73142..2915f34 100644
--- a/test/examples/modular_organization/onboarding_with_posture.tf
+++ b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.34.0"
+ version = "~> 1.34"
}
}
}
@@ -22,6 +22,15 @@ module "onboarding" {
project_id = "org-child-project-3"
is_organizational = true
organization_domain = "draios.com"
+
+ # legacy include/exclude org install params
+ # management_group_ids = ["folders/123456789012"]
+
+ # include/exclude parameters
+ include_folders = ["folders/123456789012"]
+ exclude_folders = []
+ include_projects = ["", ""]
+ exclude_projects = ["", ""]
}
module "config-posture" {
@@ -47,7 +56,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic"
components = [module.config-posture.service_principal_component_id]
depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture]
flags = {
- "CIEM_FEATURE_MODE": "basic"
+ "CIEM_FEATURE_MODE" : "basic"
}
lifecycle {
diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf
index 81d241e..9cabef2 100644
--- a/test/examples/modular_single_project/onboarding_with_posture.tf
+++ b/test/examples/modular_single_project/onboarding_with_posture.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.34.0"
+ version = "~> 1.34"
}
}
}