diff --git a/README.md b/README.md
index 7c0cb94..1d06c1d 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ There are four new parameters to configure organizational deployments on the clo
3. `include_projects` - List of GCP Projects to deploy the Sysdig Secure for Cloud resources in.
4. `exclude_projects` - List of GCP Projects to exclude deploying the Sysdig Secure for Cloud resources in.
-**WARNING**: module variable `management_group_ids` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome.
+**DEPRECATION NOTICE**: module variable `management_group_ids` has been DEPRECATED and is no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome.
**Note**: The modules under `modules/services/` folder are legacy installs and soon to be deprecated. Those modules are no longer used for Onboarding. Please use the corresponding feature modules as mentioned in `## Modules` section above for Modular Onboarding. It is the recommended form of Onboarding.
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index 9265d56..1e54c00 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -81,7 +81,6 @@ resource |
| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
-| [suffix](#input\_management\_group\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]` | no |
| [suffix](#input\_include\_folders) | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
| [suffix](#input\_exclude\_folders) | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012 | `set(string)` | `[]` | no |
| [suffix](#input\_include\_projects) | projects to include for organization. i.e: my-project-id | `set(string)` | `[]` | no |
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index 1827f3c..817953a 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -1,38 +1,8 @@
locals {
- # check if both old and new include/exclude org parameters are used, we fail early
- both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
- length(var.include_folders) > 0 ||
- length(var.exclude_folders) > 0 ||
- length(var.include_projects) > 0 ||
- length(var.exclude_projects) > 0
- )
-
# add 'folders/' prefix to the include/exclude folders
prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]
prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]
- # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
- check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
-
# fetch the GCP root org
root_org = var.is_organizational ? [data.google_organization.org[0].name] : []
}
-
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.management_group_ids) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
- ONLY management_group_ids will be considered. Please use only one of the two methods.
-
- Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 134315b..16e1075 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -30,12 +30,11 @@ resource "sysdig_secure_organization" "google_organization" {
count = var.is_organizational ? 1 : 0
management_account_id = sysdig_secure_cloud_auth_account.google_account.id
- organizational_unit_ids = local.check_old_management_group_ids_param ? var.management_group_ids : []
organization_root_id = local.root_org[0]
- included_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_include_folders
- excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders
- included_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.include_projects
- excluded_cloud_accounts = local.check_old_management_group_ids_param ? [] : var.exclude_projects
+ included_organizational_groups = local.prefixed_include_folders
+ excluded_organizational_groups = local.prefixed_exclude_folders
+ included_cloud_accounts = var.include_projects
+ excluded_cloud_accounts = var.exclude_projects
automatic_onboarding = var.enable_automatic_onboarding
depends_on = [
google_organization_iam_member.browser,
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index f3631b1..d30fadd 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -15,16 +15,6 @@ variable "organization_domain" {
default = ""
}
-variable "management_group_ids" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
- When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded. e.g. ["organizations/123456789012"], ["folders/123456789012"]
- Default: onboard all folders.
- EOF
- type = set(string)
- default = []
-}
-
variable "suffix" {
type = string
description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
index 7e49202..198537b 100644
--- a/test/examples/modular_organization/onboarding_with_posture.tf
+++ b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -23,9 +23,6 @@ module "onboarding" {
is_organizational = true
organization_domain = "draios.com"
- # legacy include/exclude org install params
- # management_group_ids = ["folders/123456789012"]
-
# include/exclude parameters
include_folders = ["123456789012", "12345678911"]
exclude_folders = []