Deprecate legacy TF module variables for MGs (#83)

* Deprecate legacy TF module variables for MGs

DEPRECATION NOTICE
--------------------
Deprecating the following variables from all modules :-

- management_group_ids
With this breaking change, above legacy var will no longer be supported for Secure installs.

Recommended Solutions
-----------------------
- For new Foundational installs: Users can use the new vars only, for including and excluding management_groups and/or accounts.

- For existing installs:
  - It is highly recommended to migrate to using new variables. Please work with Sysdig to migrate your Terraform installs to use new vars instead to achieve the same deployment outcome.
  - Pin and use older module version if you do not wish to migrate.

* Disable TFLint rule for unused variable declarations

---------

Co-authored-by: Ivan Besinovic <ivan.besinovic@sysdig.com>

Author: ravinadhruve10

.tflint.hcl

@@ -16,7 +16,7 @@ deps: $(TFLINT)
 	go install github.com/hashicorp/terraform-config-inspect@latest
 
 lint: $(TFLINT)
-	$(MAKE) -C modules lint
+	$(TFLINT) --recursive --chdir=modules --config=.tflint.hcl
 
 fmt:
 	terraform fmt -check -recursive modules

Makefile

@@ -44,7 +44,6 @@ No modules.
 | [azurerm_lighthouse_assignment.lighthouse_assignment_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_assignment) | resource |
 | [azurerm_lighthouse_definition.lighthouse_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_definition) | resource |
 | [sysdig_secure_cloud_auth_account_component.azure_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
-| [azurerm_management_group.management_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
 | [azurerm_management_group.root_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
 | [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [sysdig_secure_agentless_scanning_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_agentless_scanning_assets) | data source |
@@ -54,7 +53,6 @@ No modules.
 | Name                                                                                                             | Description                                                                                                                                                                                                                                                                                          | Type          | Default | Required |
 |------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant.                                                                                                                                                                                                                   | `bool`        | `false` |    no    |
-| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)                               | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_management_groups` instead.<br> List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id)                                | Subscription ID in which to create a trust relationship                                                                                                                                                                                                                                              | `string`      | n/a     |   yes    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)                                                                                                                                                                        | `string`      | n/a     |   yes    |
 | <a name="input_include_management_groups"></a> [suffix](#input\_include\_management_groups)                      | management_groups to include for organization in the format '<management_group_idt>' i.e: management_group_id_1                                                                                                                                                                                      | `set(string)` | `[]`    |    no    |

modules/.tflint.hcl

@@ -1,25 +1,6 @@
 locals {
-  # check if both old and new include/exclude org parameters are used, we fail early
-  both_org_configuration_params = var.is_organizational && length(var.management_group_ids) > 0 && (
-    length(var.include_management_groups) > 0 ||
-    length(var.exclude_management_groups) > 0 ||
-    length(var.include_subscriptions) > 0 ||
-    length(var.exclude_subscriptions) > 0
-  )
-
-  # check if old management_group_ids parameter is provided, for backwards compatibility we will always give preference to it
-  check_old_management_group_ids_param = var.is_organizational && length(var.management_group_ids) > 0
-
-  # legacy mode: use management_group_ids if provided
-  selected_management_group = var.is_organizational && local.check_old_management_group_ids_param ? (length(data.azurerm_management_group.management_groups) > 0 ? values(data.azurerm_management_group.management_groups) : [data.azurerm_management_group.root_management_group[0]]) : []
-
-  # legacy mode: get all subscriptions from selected management groups
-  legacy_all_mg_subscription_ids = flatten([
-    for mg in local.selected_management_group : mg.all_subscription_ids
-  ])
-
   # unified recursive mode: get subscriptions from granular-subscriptions modules when include_management_groups or exclude_management_groups is provided
-  discovered_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? (
+  discovered_subscription_ids = var.is_organizational && (length(var.include_management_groups) > 0 || length(var.exclude_management_groups) > 0) ? (
     flatten([
       module.level0[0].subscriptions,
       module.level1[0].subscriptions,
@@ -32,15 +13,15 @@ locals {
   ) : []
 
   # include specific subscriptions that are not already discovered
-  additional_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && length(var.include_subscriptions) > 0 ? (
+  additional_subscription_ids = var.is_organizational && length(var.include_subscriptions) > 0 ? (
     [for s in var.include_subscriptions : s if !(contains(local.discovered_subscription_ids, s))]
   ) : []
 
   # combine discovered and additional subscriptions
   new_all_subscription_ids = concat(local.discovered_subscription_ids, local.additional_subscription_ids)
 
   # default mode: use root management group subscriptions when no include/exclude filters are provided
-  default_all_mg_subscription_ids = var.is_organizational && !local.check_old_management_group_ids_param && length(var.include_management_groups) == 0 && length(var.exclude_management_groups) == 0 ? (
+  default_all_mg_subscription_ids = var.is_organizational && length(var.include_management_groups) == 0 && length(var.exclude_management_groups) == 0 ? (
     length(var.exclude_subscriptions) > 0 ? (
       [for s in data.azurerm_management_group.root_management_group[0].all_subscription_ids : s if !(contains(var.exclude_subscriptions, s))]
       ) : (
@@ -50,26 +31,7 @@ locals {
 
   # combine all subscription ids based on mode
   all_mg_subscription_ids = concat(
-    local.legacy_all_mg_subscription_ids,
     local.new_all_subscription_ids,
     local.default_all_mg_subscription_ids
   )
-}
-
-check "validate_org_configuration_params" {
-  assert {
-    condition     = length(var.management_group_ids) == 0 # if this condition is false we throw warning
-    error_message = <<-EOT
-    WARNING: 'management_group_ids' TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate your Terraform installs to use 'include_management_groups' instead.
-    EOT
-  }
-
-  assert {
-    condition     = !local.both_org_configuration_params # if this condition is false we throw error
-    error_message = <<-EOT
-    ERROR: If both management_group_ids and include_management_groups/exclude_management_groups/include_subscriptions/exclude_subscriptions variables are populated,
-    ONLY management_group_ids will be considered. Please use only one of the two methods.
-    Note: management_group_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
-    EOT
-  }
 }

modules/agentless-scanning/.tflint.hcl

@@ -7,11 +7,6 @@ data "azurerm_management_group" "root_management_group" {
   display_name = "Tenant Root Group"
 }
 
-data "azurerm_management_group" "management_groups" {
-  for_each = var.is_organizational && length(var.management_group_ids) > 0 ? var.management_group_ids : []
-  name     = each.value
-}
-
 data "azurerm_subscription" "all_subscriptions" {
   for_each        = toset(local.all_mg_subscription_ids)
   subscription_id = each.value

modules/agentless-scanning/README.md

@@ -9,16 +9,6 @@ variable "is_organizational" {
   default     = false
 }
 
-variable "management_group_ids" {
-  description = <<-EOF
-    TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_management_groups` instead.
-    When set, restrict onboarding to a set of Azure Management Groups identifiers whose child management groups and subscriptions are to be onboarded.
-    Default: onboard all management groups.
-    EOF
-  type        = set(string)
-  default     = []
-}
-
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)"

modules/agentless-scanning/locals.tf

@@ -0,0 +1,4 @@
+rule "terraform_unused_declarations" {
+  enabled = false
+}
+

modules/agentless-scanning/organizational.tf

@@ -71,7 +71,6 @@ No modules.
 |------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
 | <a name="input_agentless_aks_connection_enabled"></a> [agentless\_aks\_connection\_enabled](#input\_agentless\_aks\_connection\_enabled) | Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs.                                                                                                                                         | `bool`        | `false` |    no    |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                                                  | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant.                                                                                                                                                                                                                   | `bool`        | `false` |    no    |
-| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)                                                       | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_management_groups` instead.<br> List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. If not provided, set to empty by default | `set(string)` | `[]`    |    no    |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id)                                                        | Subscription ID in which to create resources for secure-for-cloud                                                                                                                                                                                                                                    | `string`      | n/a     |   yes    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)                         | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)                                                                                                                                                                            | `string`      | n/a     |   yes    |
 | <a name="input_config_posture_service_principal"></a> [config\_posture\_service\_principal](#input\_config\_posture\_service\_principal) | (Optional) Service Principal to be used for CSPM, this SP needs to be associated to the Sysdig Config Posture Application ID. If not provided, a new one will be created.                                                                                                                            | `string`      | `""`    |    no    |