Migration Guide

This guide helps you migrate Azure organization onboarding to Include/Exclude parameters.

Sysdig has deprecated the legacy management_group_ids parameter used in earlier Azure organization onboarding configurations.

If you onboarded Azure using Terraform module version 0.3.x, your Terraform templates may still include this field.

To maintain compatibility and receive future updates, migrate your configuration to the supported parameters:

  • include_management_groups
  • exclude_management_groups
  • include_subscriptions
  • exclude_subscriptions

This migration updates your configuration only. Your existing onboarding behavior remains the same unless you choose to adjust which management groups or subscriptions are included.

Before You Begin

Review your current onboarding setup:

Choose the instructions that match your environment and whether you want to keep the same Azure organization structure or modify it.

Terraform Migration

Scenario A: Keep the Same Azure Organization Structure

Use this section if you want to migrate to the new include/exclude parameters without changing which management groups or subscriptions Sysdig monitors.

Foundational/CSPM Only

  1. Map existing values.
    Copy the values from management_group_ids into include_management_groups.

If management_group_ids is empty, keep include_management_groups empty.

  1. Update the onboarding module (main.tf).

    Replace:

    management_group_ids = ["management-group-test"]

    with

    include_management_groups = ["management-group-test"]
exclude_management_groups = []
include_subscriptions     = []
exclude_subscriptions     = []

  2. Update the config posture module. Replace:

    management_group_ids = module.onboarding.management_group_ids

    with

    include_management_groups = module.onboarding.include_management_groups
exclude_management_groups = module.onboarding.exclude_management_groups
include_subscriptions     = module.onboarding.include_subscriptions
exclude_subscriptions     = module.onboarding.exclude_subscriptions

  3. Update the module versions.

  4. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + CDR

  1. Complete the steps in Foundational/CSPM Only, then update the log-ingestion module snippet. In the old log-ingestion snippet file, replace:

    management_group_ids = module.onboarding.management_group_ids

    with:

    include_management_groups = module.onboarding.include_management_groups
exclude_management_groups = module.onboarding.exclude_management_groups
include_subscriptions     = module.onboarding.include_subscriptions
exclude_subscriptions     = module.onboarding.exclude_subscriptions

  2. Update the module version for this snippet to 2.0.0, if not already done.

  3. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + Host Scanning

  1. Complete the steps in Foundational/CSPM Only, then update the host-scanning snippet. In the old host-scanning snippet file, in module “agentless-scanning”, replace:

    management_group_ids = module.onboarding.management_group_ids

    with:

    include_management_groups = module.onboarding.include_management_groups
exclude_management_groups = module.onboarding.exclude_management_groups
include_subscriptions     = module.onboarding.include_subscriptions
exclude_subscriptions     = module.onboarding.exclude_subscriptions

  2. Ensure this module also uses version 2.0.0.

  3. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + Workload Scanning

  1. Complete the steps in Foundational/CSPM Only, then update the workload-scanning snippet. In the old workload-scanning snippet file, in module “vm_workload_scanning”, replace:

    management_group_ids = module.onboarding.management_group_ids

    with:

    include_management_groups = module.onboarding.include_management_groups
exclude_management_groups = module.onboarding.exclude_management_groups
include_subscriptions     = module.onboarding.include_subscriptions
exclude_subscriptions     = module.onboarding.exclude_subscriptions

  2. Ensure this module also uses version 2.0.0.

  3. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Scenario B: Change the Azure Organization Structure During or After Migration

Follow these instructions if you want to adjust which management groups or subscriptions Sysdig monitors.

  1. First migrate from management_group_ids to the new include/exclude fields by following the steps in Scenario A for your use case.

  2. In the onboarding module, update the combinations of the following to match the desired target structure:

    • include_management_groups
    • exclude_management_groups
    • include_subscriptions
    • exclude_subscriptions

  3. Use the Include/Exclude workflow in the Sysdig UI as a guide to design your structure.

  4. Apply the updated configuration. Run the following commands:

    terraform init --upgrade
terraform apply