From 81fa9b18d5790aabe7edfdce34f62dbcb358cbeb Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Wed, 26 Nov 2025 21:10:23 -0600 Subject: [PATCH] Revert "Deprecate legacy TF module variables for Folder units (#79)" This reverts commit 29d62c9c08058ea87884538e0c9038f2a57cd0b3. --- README.md | 2 +- modules/onboarding/README.md | 1 + modules/onboarding/locals.tf | 30 +++++++++++++++++++ modules/onboarding/organizational.tf | 9 +++--- modules/onboarding/variables.tf | 10 +++++++ .../onboarding_with_posture.tf | 3 ++ 6 files changed, 50 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 1d06c1d..7c0cb94 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ There are four new parameters to configure organizational deployments on the clo 3. `include_projects` - List of GCP Projects to deploy the Sysdig Secure for Cloud resources in. 4. `exclude_projects` - List of GCP Projects to exclude deploying the Sysdig Secure for Cloud resources in. -**DEPRECATION NOTICE**: module variable `management_group_ids` has been DEPRECATED and is no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome. +**WARNING**: module variable `management_group_ids` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome. **Note**: The modules under `modules/services/` folder are legacy installs and soon to be deprecated. Those modules are no longer used for Onboarding. Please use the corresponding feature modules as mentioned in `## Modules` section above for Modular Onboarding. It is the recommended form of Onboarding. diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 1e54c00..9265d56 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -81,6 +81,7 @@ resource | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no | | [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | | [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no | | [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no | diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf index 817953a..1827f3c 100644 --- a/modules/onboarding/locals.tf +++ b/modules/onboarding/locals.tf @@ -1,8 +1,38 @@ locals { + # check if both old and new include/exclude org parameters are used, we fail early + both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && ( + length(var.include_folders) > 0 || + length(var.exclude_folders) > 0 || + length(var.include_projects) > 0 || + length(var.exclude_projects) > 0 + ) + # add 'folders/' prefix to the include/exclude folders prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"] prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"] + # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it + check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0 + # fetch the GCP root org root_org = var.is_organizational ? [data.google_organization.org[0].name] : [] } + +check "validate_org_configuration_params" { + assert { + condition = length(var.management_group_ids) == 0 # if this condition is false we throw warning + error_message = <<-EOT + WARNING: TO BE DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead. + EOT + } + + assert { + condition = !local.both_org_configuration_params # if this condition is false we throw error + error_message = <<-EOT + ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated, + ONLY management_group_ids will be considered. Please use only one of the two methods. + + Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs. + EOT + } +} diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index 16e1075..134315b 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -30,11 +30,12 @@ resource "sysdig_secure_organization" "google_organization" { count = var.is_organizational ? 1 : 0 management_account_id = sysdig_secure_cloud_auth_account.google_account.id + organizational_unit_ids = local.check_old_management_group_ids_param ? var.management_group_ids : [] organization_root_id = local.root_org[0] - included_organizational_groups = local.prefixed_include_folders - excluded_organizational_groups = local.prefixed_exclude_folders - included_cloud_accounts = var.include_projects - excluded_cloud_accounts = var.exclude_projects + included_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_include_folders + excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders + included_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.include_projects + excluded_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.exclude_projects automatic_onboarding = var.enable_automatic_onboarding depends_on = [ google_organization_iam_member.browser, diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index d30fadd..f3631b1 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -15,6 +15,16 @@ variable "organization_domain" { default = "" } +variable "management_group_ids" { + description = <<-EOF + TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead. + When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded. e.g. ["organizations/123456789012"], ["folders/123456789012"] + Default: onboard all folders. + EOF + type = set(string) + default = [] +} + variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 198537b..7e49202 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -23,6 +23,9 @@ module "onboarding" { is_organizational = true organization_domain = "draios.com" + # legacy include/exclude org install params + # management_group_ids = ["folders/123456789012"] + # include/exclude parameters include_folders = ["123456789012", "12345678911"] exclude_folders = []