SSPROD-59007 - include/exclude TF provisioning support (#76)

* SSPROD-59005 - feat: include/exclude and automatic onboarding vars

* SSPROD-59005 - feat: include/exclude and automatic onboarding vars

* SSPROD-59007 - include/exclude TF provisioning support

* Add unique random ids to role name key

* SSPROD-59007 - include/exclude TF provisioning support

* SSPROD-59007 - include/exclude TF provisioning support

* SSPROD-59007 - include/exclude TF provisioning support

* SSPROD-59007 - include/exclude TF provisioning support

* SSPROD-59007 - include/exclude TF provisioning support

---------

Co-authored-by: Ravina Dhruve <ravina.dhruve@sysdig.com>

Author: jose-pablo-camacho

modules/agentless-scanning/README.md

@@ -51,12 +51,16 @@ No modules.
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
-| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create a trust relationship | `string` | n/a | yes |
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| Name                                                                                                             | Description                                                                                                                                                                                                                                                                                          | Type          | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant.                                                                                                                                                                                                                   | `bool`        | `false` |    no    |
+| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)                               | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_management_groups` instead.<br> List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id)                                | Subscription ID in which to create a trust relationship                                                                                                                                                                                                                                              | `string`      | n/a     |   yes    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)                                                                                                                                                                        | `string`      | n/a     |   yes    |
+| <a name="input_include_management_groups"></a> [suffix](#input\_include\_management_groups)                      | management_groups to include for organization in the format '<management_group_idt>' i.e: management_group_id_1                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_management_groups"></a> [suffix](#input\_exclude\_management_groups)                      | management_groups to exclude for organization in the format '<management_group_idt>' i.e: management_group_id_1                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |
+| <a name="input_include_subscriptions"></a> [suffix](#input\_include\_subscriptions)                              | subscriptions to include for organization. i.e: 12345678-1234-1234-1234-123456789abc                                                                                                                                                                                                                 | `set(string)` | `[]`    |    no    |
+| <a name="input_exclude_subscriptions"></a> [suffix](#input\_exclude\_subscriptions)                              | subscriptions to exclude for organization. i.e: 12345678-1234-1234-1234-123456789abc                                                                                                                                                                                                                 | `set(string)` | `[]`    |    no    |
 
 ## Outputs
 

modules/agentless-scanning/locals.tf

@@ -0,0 +1,75 @@
+locals {
+  # check if both old and new include/exclude org parameters are used, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
+    length(var.include_management_groups) > 0 ||
+    length(var.exclude_management_groups) > 0 ||
+    length(var.include_subscriptions) > 0 ||
+    length(var.exclude_subscriptions) > 0
+  )
+
+  # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
+
+  # legacy mode: use management_group_ids if provided
+  selected_management_group = var.is_organizational && local.check_old_management_group_ids_param ? (length(data.azurerm_management_group.management_groups) > 0 ? values(data.azurerm_management_group.management_groups) : [data.azurerm_management_group.root_management_group[0]]) : []
+
+  # legacy mode: get all subscriptions from selected management groups
+  legacy_all_mg_subscription_ids = flatten([
+    for mg in local.selected_management_group : mg.all_subscription_ids
+  ])
+
+  # unified recursive mode: get subscriptions from granular-subscriptions modules when include_management_groups or exclude_management_groups is provided
+  discovered_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? (
+    flatten([
+      module.level0[0].subscriptions,
+      module.level1[0].subscriptions,
+      module.level2[0].subscriptions,
+      module.level3[0].subscriptions,
+      module.level4[0].subscriptions,
+      module.level5[0].subscriptions,
+      module.level6[0].subscriptions
+    ])
+  ) : []
+
+  # include specific subscriptions that are not already discovered
+  additional_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && length(var.include_subscriptions) > 0 ? (
+    [for s in var.include_subscriptions : s if !(contains(local.discovered_subscription_ids, s))]
+  ) : []
+
+  # combine discovered and additional subscriptions
+  new_all_subscription_ids = concat(local.discovered_subscription_ids, local.additional_subscription_ids)
+
+  # default mode: use root management group subscriptions when no include/exclude filters are provided
+  default_all_mg_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && length(var.include_management_groups) == 0 && length(var.exclude_management_groups) == 0 ? (
+    length(var.exclude_subscriptions) > 0 ? (
+      [for s in data.azurerm_management_group.root_management_group[0].all_subscription_ids : s if !(contains(var.exclude_subscriptions, s))]
+      ) : (
+      data.azurerm_management_group.root_management_group[0].all_subscription_ids
+    )
+  ) : []
+
+  # combine all subscription ids based on mode
+  all_mg_subscription_ids = concat(
+    local.legacy_all_mg_subscription_ids,
+    local.new_all_subscription_ids,
+    local.default_all_mg_subscription_ids
+  )
+}
+
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.management_group_ids) == 0 # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: 'management_group_ids' TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate your Terraform installs to use 'include_management_groups' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both management_group_ids and include_management_groups/exclude_management_groups/include_subscriptions/exclude_subscriptions variables are populated,
+    ONLY management_group_ids will be considered. Please use only one of the two methods.
+    Note: management_group_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}

modules/agentless-scanning/main.tf

@@ -34,9 +34,9 @@ resource "azurerm_lighthouse_assignment" "lighthouse_assignment" {
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "azure_service_principal" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_SERVICE_PRINCIPAL"
-  instance                   = "secure-scanning"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-scanning"
   service_principal_metadata = jsonencode({
     azure = {
       active_directory_service_principal = {

modules/agentless-scanning/organizational.tf

@@ -3,7 +3,7 @@
 #---------------------------------------------------------------------------------------------
 # If no management group is present, then the root management group is used to onboard all the subscriptions
 data "azurerm_management_group" "root_management_group" {
-  count        = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0
+  count        = var.is_organizational ? 1 : 0
   display_name = "Tenant Root Group"
 }
 
@@ -12,13 +12,8 @@ data "azurerm_management_group" "management_groups" {
   name     = each.value
 }
 
-locals {
-  subscriptions = toset(var.is_organizational && length(var.management_group_ids) == 0 ? data.azurerm_management_group.root_management_group[0].all_subscription_ids :
-  flatten([for m in data.azurerm_management_group.management_groups : m.all_subscription_ids]))
-}
-
 data "azurerm_subscription" "all_subscriptions" {
-  for_each = toset(local.subscriptions)
+  for_each        = toset(local.all_mg_subscription_ids)
   subscription_id = each.value
 }
 

modules/agentless-scanning/outputs.tf

@@ -6,5 +6,5 @@ output "lighthouse_definition_display_id" {
 output "service_principal_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.azure_service_principal.type}/${sysdig_secure_cloud_auth_account_component.azure_service_principal.instance}"
   description = "Component identifier of Service Principal created in Sysdig Backend for Agentless Scanning"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.azure_service_principal ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.azure_service_principal]
 }

modules/agentless-scanning/subscriptions.tf

@@ -0,0 +1,71 @@
+# Azure supports up to 6 levels of management groups(do not include root management group), so we will create a module to get subscriptions using include/exclude filters for each level.
+# This is a workaround for the fact that Azure does not support recursive management group queries in TF.
+# http://learn.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-management-groups
+
+# Rules for this module:
+# 1. We will exercise the module if 'exclude_management_groups' is set. We will recursively get all the management groups from the root management group id and exclude the ones in the exclude_management_groups list.
+# 2. We will exercise the module if 'include_management_groups' is set. We will recursively get all the management groups from the management group list and exclude the ones in the exclude_management_groups list.
+# 3. We will honor the include/exclude logic for subscriptions as well.
+
+module "level0" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = length(var.include_management_groups) > 0 ? var.include_management_groups : [data.azurerm_management_group.root_management_group[0].name]
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level1" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level0[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level2" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level1[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level3" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level2[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level4" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level3[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level5" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level4[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+}
+
+module "level6" {
+  count                     = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? 1 : 0
+  source                    = "../utils/granular-subscriptions"
+  management_group_ids      = module.level5[0].child_management_group_ids
+  exclude_management_groups = var.exclude_management_groups
+  include_subscriptions     = var.include_subscriptions
+  exclude_subscriptions     = var.exclude_subscriptions
+} 

modules/agentless-scanning/variables.tf

@@ -10,12 +10,40 @@ variable "is_organizational" {
 }
 
 variable "management_group_ids" {
-  description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups."
+  description = <<-EOF
+    TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_management_groups` instead.
+    When set, restrict onboarding to a set of Azure Management Groups identifiers whose child management groups and subscriptions are to be onboarded.
+    Default: onboard all management groups.
+    EOF
   type        = set(string)
   default     = []
 }
 
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)"
-}
+}
+
+variable "include_management_groups" {
+  description = "(Optional) management groups to include for organization in the format '<management_group_id>' i.e: management_group_id_1"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_management_groups" {
+  description = "(Optional) management groups to exclude for organization in the format '<management_group_id>' i.e: management_group_id_1"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_subscriptions" {
+  description = "(Optional) subscription ids to include for organization i.e: 12345678-1234-1234-1234-123456789abc"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_subscriptions" {
+  description = "(Optional) subscription ids to exclude for organization i.e: 12345678-1234-1234-1234-123456789abc"
+  type        = set(string)
+  default     = []
+}