Revert "Revert "Deprecate legacy TF module variables for Folder units (#79)" (#81)" (#82)

This reverts commit 9f53c9a.

Author: jose-pablo-camacho

README.md

@@ -71,7 +71,7 @@ There are four new parameters to configure organizational deployments on the clo
 3. `include_projects` - List of GCP Projects to deploy the Sysdig Secure for Cloud resources in.
 4. `exclude_projects` - List of GCP Projects to exclude deploying the Sysdig Secure for Cloud resources in.
 
-**WARNING**: module variable `management_group_ids` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome.
+**DEPRECATION NOTICE**: module variable `management_group_ids` has been DEPRECATED and is no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome.
 
 **Note**: The modules under `modules/services/` folder are legacy installs and soon to be deprecated. Those modules are no longer used for Onboarding. Please use the corresponding feature modules as mentioned in `## Modules` section above for Modular Onboarding. It is the recommended form of Onboarding.
 

modules/onboarding/README.md

@@ -81,7 +81,6 @@ resource |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                           | Organization domain. e.g. sysdig.com                                                                                                                                                                           | `string`      | `""`    |    no    |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                      | (Required) Target Project identifier provided by the customer                                                                                                                                                  | `string`      | n/a     |   yes    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                    | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated                                                                                      | `string`      | `null`  |    no    |
-| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)                                      | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.<br>List of management group ids w.r.t an org install. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
 | <a name="input_include_folders"></a> [suffix](#input\_include\_folders)                                                 | folders to include for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                                             | `set(string)` | `[]`    |    no    |
 | <a name="input_exclude_folders"></a> [suffix](#input\_exclude\_folders)                                                 | folders to exclude for organization in the format 'folders/{folder_id}'. i.e: folders/123456789012                                                                                                             | `set(string)` | `[]`    |    no    |
 | <a name="input_include_projects"></a> [suffix](#input\_include\_projects)                                               | projects to include for organization. i.e: my-project-id                                                                                                                                                       | `set(string)` | `[]`    |    no    |

modules/onboarding/locals.tf

@@ -1,38 +1,8 @@
 locals {
-  # check if both old and new include/exclude org parameters are used, we fail early
-  both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
-    length(var.include_folders) > 0 ||
-    length(var.exclude_folders) > 0 ||
-    length(var.include_projects) > 0 ||
-    length(var.exclude_projects) > 0
-  )
-
   # add 'folders/' prefix to the include/exclude folders
   prefixed_include_folders = [for folder_id in var.include_folders : "folders/${folder_id}"]
   prefixed_exclude_folders = [for folder_id in var.exclude_folders : "folders/${folder_id}"]
 
-  # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
-  check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
-
   # fetch the GCP root org
   root_org = var.is_organizational ? [data.google_organization.org[0].name] : []
 }
-
-check "validate_org_configuration_params" {
-  assert {
-    condition     = length(var.management_group_ids) == 0 # if this condition is false we throw warning
-    error_message = <<-EOT
-    WARNING: TO BE DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_folders' instead.
-    EOT
-  }
-
-  assert {
-    condition     = !local.both_org_configuration_params # if this condition is false we throw error
-    error_message = <<-EOT
-    ERROR: If both management_group_ids and include_folders/exclude_folders/include_projects/exclude_projects variables are populated,
-    ONLY management_group_ids will be considered. Please use only one of the two methods.
-
-    Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
-    EOT
-  }
-}

modules/onboarding/organizational.tf

@@ -30,12 +30,11 @@ resource "sysdig_secure_organization" "google_organization" {
   count = var.is_organizational ? 1 : 0
 
   management_account_id          = sysdig_secure_cloud_auth_account.google_account.id
-  organizational_unit_ids        = local.check_old_management_group_ids_param ? var.management_group_ids : []
   organization_root_id           = local.root_org[0]
-  included_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_include_folders
-  excluded_organizational_groups = local.check_old_management_group_ids_param ? [] : local.prefixed_exclude_folders
-  included_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.include_projects
-  excluded_cloud_accounts        = local.check_old_management_group_ids_param ? [] : var.exclude_projects
+  included_organizational_groups = local.prefixed_include_folders
+  excluded_organizational_groups = local.prefixed_exclude_folders
+  included_cloud_accounts        = var.include_projects
+  excluded_cloud_accounts        = var.exclude_projects
   automatic_onboarding           = var.enable_automatic_onboarding
   depends_on = [
     google_organization_iam_member.browser,

modules/onboarding/variables.tf

@@ -15,16 +15,6 @@ variable "organization_domain" {
   default     = ""
 }
 
-variable "management_group_ids" {
-  description = <<-EOF
-    TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_folders` instead.
-    When set, restrict onboarding to a set of folder identifiers whose child projects and projects are to be onboarded. e.g. ["organizations/123456789012"], ["folders/123456789012"]
-    Default: onboard all folders.
-    EOF
-  type        = set(string)
-  default     = []
-}
-
 variable "suffix" {
   type        = string
   description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"

test/examples/modular_organization/onboarding_with_posture.tf

@@ -23,9 +23,6 @@ module "onboarding" {
   is_organizational   = true
   organization_domain = "draios.com"
 
-  # legacy include/exclude org install params
-  # management_group_ids = ["folders/123456789012"]
-
   # include/exclude parameters
   include_folders  = ["123456789012", "12345678911"]
   exclude_folders  = []