sysdiglabs · ivanbesinovic-sysdig · Jun 8, 2026 · May 28, 2026
@@ -39,12 +39,15 @@ resource "azuread_service_principal" "sysdig_cspm_sp" {
   notes        = "Service Principal linked to the Sysdig Secure CNAPP - CSPM module"
 }
 
+
 #---------------------------------------------------------------------------------------------
 # Assign "Directory Reader" AD role to Sysdig SP
+# Only assigned for tenant-level onboarding when CIEM is explicitly enabled.
+# Directory Readers is a tenant-wide Entra ID role required for CIEM identity enumeration.
+# Requires the installer to have Privileged Role Administrator permissions.
 #---------------------------------------------------------------------------------------------
-
 resource "azuread_directory_role_assignment" "sysdig_ad_reader" {
-  count               = var.config_posture_service_principal != "" ? 0 : 1
+  count               = (var.is_organizational && var.enable_ciem && var.config_posture_service_principal == "") ? 1 : 0
   role_id             = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" // template ID of Directory Reader AD role
   principal_object_id = azuread_service_principal.sysdig_cspm_sp[0].object_id
 }

@@ -56,3 +56,10 @@ variable "use_existing_role_assignments" {
   type        = bool
   default     = false
 }
+
+variable "enable_ciem" {
+  description = "(Optional) Set to 'true' to enable CIEM (Cloud Identity and Entitlement Management) for tenant-level onboarding. When enabled, the Sysdig Service Principal will be assigned the Entra ID Directory Readers role, which requires the installer to have Privileged Role Administrator permissions. Has no effect when is_organizational = false."
+  type        = bool
+  default     = true
+}
+
@@ -32,8 +32,12 @@ resource "azuread_service_principal" "sysdig_sp" {
 
 #---------------------------------------------------------------------------------------------
 # Assign "Directory Reader" AD role to Sysdig SP
+# Only assigned for tenant-level onboarding when CIEM is explicitly enabled.
+# Directory Readers is a tenant-wide Entra ID role required for CIEM identity enumeration.
+# Requires the installer to have Privileged Role Administrator permissions.
 #---------------------------------------------------------------------------------------------
 resource "azuread_directory_role_assignment" "sysdig_ad_reader" {
+  count               = (var.is_organizational && var.enable_ciem) ? 1 : 0
   role_id             = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" // template ID of Directory Reader AD role
   principal_object_id = azuread_service_principal.sysdig_sp.object_id
 }

@@ -25,3 +25,9 @@ variable "agentless_aks_connection_enabled" {
   description = "Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs."
   default     = false
 }
+
+variable "enable_ciem" {
+  description = "(Optional) Set to 'true' to enable CIEM (Cloud Identity and Entitlement Management) for tenant-level onboarding. When enabled, the Sysdig Service Principal will be assigned the Entra ID Directory Readers role, which requires the installer to have Privileged Role Administrator permissions. Has no effect when is_organizational = false."
+  type        = bool
+  default     = true
+}
@@ -1,13 +1,13 @@
 # tflint-ignore: terraform_required_providers
 provider "azurerm" {
-  features { }
+  features {}
   subscription_id = "test-subscription"
   tenant_id       = "test-tenant"
 }
 
 # tflint-ignore: terraform_required_providers
 provider "azuread" {
-  tenant_id       = "test-tenant"
+  tenant_id = "test-tenant"
 }
 
 # tflint-ignore: terraform_required_version
@@ -26,19 +26,19 @@ provider "sysdig" {
 }
 
 module "onboarding" {
-  source               = "../../../modules/onboarding"
-  subscription_id      = "test-subscription"
-  tenant_id            = "test-tenant"
-  is_organizational    = true
+  source            = "../../../modules/onboarding"
+  subscription_id   = "test-subscription"
+  tenant_id         = "test-tenant"
+  is_organizational = true
 
   # Optional: pre-existing SP pointing to Sysdig Onboarding App ID
   onboarding_service_principal = "onboarding-service-principal-id"
 
   # Include/Exclude specific parameters
   include_management_groups = ["mgmt-group-id1", "mgmt-group-id2"]
   exclude_management_groups = []
-  include_subscriptions = []
-  exclude_subscriptions = []
+  include_subscriptions     = []
+  exclude_subscriptions     = []
 
   # optionally pass automatic onboarding for orgs (defaults to false)
   enable_automatic_onboarding = false
@@ -49,23 +49,24 @@ module "config-posture" {
   subscription_id          = module.onboarding.subscription_id
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
   is_organizational        = module.onboarding.is_organizational
+  enable_ciem              = true
 
   # Optional: pre-existing SP pointing to Sysdig CSPM App ID
   # config_posture_service_principal = "config-posture-service-principal-id"
 
   # Include/Exclude specific parameters from onboarding module
   include_management_groups = module.onboarding.include_management_groups
   exclude_management_groups = module.onboarding.exclude_management_groups
-  include_subscriptions = module.onboarding.include_subscriptions
-  exclude_subscriptions = module.onboarding.exclude_subscriptions
+  include_subscriptions     = module.onboarding.include_subscriptions
+  exclude_subscriptions     = module.onboarding.exclude_subscriptions
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
   account_id = module.onboarding.sysdig_secure_account_id
   type       = "FEATURE_SECURE_CONFIG_POSTURE"
   enabled    = true
   components = [module.config-posture.service_principal_component_id]
-  depends_on = [ module.config-posture ]
+  depends_on = [module.config-posture]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" {
@@ -75,7 +76,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic"
   components = [module.config-posture.service_principal_component_id]
   depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture]
   flags = {
-    "CIEM_FEATURE_MODE": "basic"
+    "CIEM_FEATURE_MODE" : "basic"
   }
 
   lifecycle {

@@ -21,15 +21,5 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
   depends_on = [ module.event-hub ]
 }
 
-resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" {
-  account_id = module.onboarding.sysdig_secure_account_id
-  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
-  enabled    = true
-  components = concat(tolist(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components), [module.event-hub.event_hub_component_id])
-  depends_on = [module.event-hub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
-  flags = {"CIEM_FEATURE_MODE": "advanced"}
-
-  lifecycle {
-    ignore_changes = [flags, components]
-  }
-}
+# CIEM advanced (identity_entitlement with Event Hub) is not supported for single-subscription
+# onboarding. CIEM requires tenant-level (organizational) onboarding with enable_ciem = true.
@@ -1,13 +1,13 @@
 # tflint-ignore: terraform_required_providers
 provider "azurerm" {
-  features { }
+  features {}
   subscription_id = "test-subscription"
   tenant_id       = "test-tenant"
 }
 
 # tflint-ignore: terraform_required_providers
 provider "azuread" {
-  tenant_id       = "test-tenant"
+  tenant_id = "test-tenant"
 }
 
 # tflint-ignore: terraform_required_version
@@ -26,9 +26,9 @@ provider "sysdig" {
 }
 
 module "onboarding" {
-  source           = "../../../modules/onboarding"
-  subscription_id  = "test-subscription"
-  tenant_id        = "test-tenant"
+  source          = "../../../modules/onboarding"
+  subscription_id = "test-subscription"
+  tenant_id       = "test-tenant"
 }
 
 module "config-posture" {
@@ -45,20 +45,9 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
   type       = "FEATURE_SECURE_CONFIG_POSTURE"
   enabled    = true
   components = [module.config-posture.service_principal_component_id]
-  depends_on = [ module.config-posture ]
+  depends_on = [module.config-posture]
 }
 
-resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" {
-  account_id = module.onboarding.sysdig_secure_account_id
-  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
-  enabled    = true
-  components = [module.config-posture.service_principal_component_id]
-  depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture]
-  flags = {
-    "CIEM_FEATURE_MODE": "basic"
-  }
-
-  lifecycle {
-    ignore_changes = [flags, components]
-  }
-}
+# CIEM (identity_entitlement) is not supported for single-subscription onboarding.
+# Directory Readers is a tenant-level permission and is only assigned when onboarding
+# at the tenant/organizational level with CIEM explicitly enabled.