From 225d7149ccb5c5e04c2ce550935d46cc60b43356 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 13 May 2025 11:59:26 -0600 Subject: [PATCH] SSPROD-56865 - add dynamic org support --- modules/onboarding/README.md | 23 ++++++++++--------- modules/onboarding/organizational.tf | 4 ++++ modules/onboarding/variables.tf | 8 ++++++- .../onboarding_with_posture.tf | 3 +++ 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 34a8663..d9c08ee 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -72,17 +72,18 @@ resource | ## Inputs -| Name | Description | Type | Default | Required | -|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | -| [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no | -| [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | -| [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | -| [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no | -| [suffix](#input\_exclude\_projects) | projects to exclude for organization. i.e: my-project-id | `set(string)` | `[]` | no | +| Name | Description | Type | Default | Required | +|-------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no | +| [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | +| [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | +| [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no | +| [suffix](#input\_exclude\_projects) | projects to exclude for organization. i.e: my-project-id | `set(string)` | `[]` | no | +| [enable\_automatic\_onboarding](#input\_enable\_automatic\_onboarding) | true/false whether whether Sysdig should automatically discover latest set of accounts in onboarded organization or not | `bool` | `false` | no | ## Outputs diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index 1f9ad4b..1e055b0 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -36,8 +36,12 @@ resource "sysdig_secure_organization" "google_organization" { excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders included_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.include_projects excluded_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.exclude_projects + automatic_onboarding = var.enable_automatic_onboarding depends_on = [ google_organization_iam_member.browser, sysdig_secure_cloud_auth_account.google_account ] + lifecycle { + ignore_changes = [automatic_onboarding] + } } \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index f878a7c..f3631b1 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -53,4 +53,10 @@ variable "exclude_projects" { description = "(Optional) projects id to exclude for organization i.e: my-project-id" type = set(string) default = [] -} \ No newline at end of file +} + +variable "enable_automatic_onboarding" { + type = bool + default = false + description = "true/false whether Sysdig should automatically discover latest set of accounts in onboarded organization or not" +} diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 8e2cd84..a94e035 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -31,6 +31,9 @@ module "onboarding" { exclude_folders = [] include_projects = ["", ""] exclude_projects = ["", ""] + + # optionally pass automatic onboarding for orgs (defaults to false) + enable_automatic_onboarding = false } module "config-posture" {