From 061f9944af8d677be18bedafd4f90cdc0f377b70 Mon Sep 17 00:00:00 2001
From: lorenzo merici <lorenzo.merici@sysdig.com>
Date: Tue, 22 Apr 2025 16:54:26 +0200
Subject: [PATCH 1/2] prefetch root org id

---
 modules/integrations/cloud-logs/main.tf      | 16 ++++++++++++++--
 modules/integrations/cloud-logs/variables.tf | 12 ++++++------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index f70b31d..c1e9531 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -40,6 +40,14 @@ data "sysdig_secure_cloud_ingestion_assets" "assets" {
   cloud_provider_id  = data.aws_caller_identity.current.account_id
 }
 
+#----------------------------------------------------------
+# Fetch & compute required data for organizational install
+#----------------------------------------------------------
+data "aws_organizations_organization" "org" {
+  count = var.is_organizational ? 1 : 0
+}
+
+
 #-----------------------------------------------------------------------------------------
 # Generate a unique name for resources using random suffix and account ID hash
 #-----------------------------------------------------------------------------------------
@@ -69,6 +77,10 @@ locals {
 
   # StackSet configuration
   stackset_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
+
+  # fetch the AWS Root OU under org
+  # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
+  root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
@@ -247,7 +259,7 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_bucket" {
   stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name
   
   deployment_targets {
-    organizational_unit_ids = var.org_units
+    organizational_unit_ids = local.root_org_unit
     account_filter_type = "INTERSECTION"
     accounts = [local.bucket_account_id]
   }
@@ -268,7 +280,7 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_topic" {
   stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name
   
   deployment_targets {
-    organizational_unit_ids = var.org_units
+    organizational_unit_ids = local.root_org_unit
     account_filter_type = "INTERSECTION"
     accounts = [local.topic_account_id]
   }
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 00cdb41..1c42120 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -3,6 +3,12 @@ variable "sysdig_secure_account_id" {
   description = "ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account)"
 }
 
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs)"
+  type        = bool
+  default     = false
+}
+
 variable "bucket_arn" {
   description = "(Required) The ARN of your CloudTrail Bucket"
   type        = string
@@ -78,12 +84,6 @@ variable "timeout" {
   default     = "30m"
 }
 
-variable "org_units" {
-  type        = list(string)
-  description = "List of AWS Organizations organizational unit (OU) IDs in which to create the StackSet instances. Required for cross-account organizational deployments."
-  default     = []
-}
-
 variable "kms_key_arn" {
   description = "ARN of the KMS key used to encrypt the S3 bucket. If provided, the IAM role will be granted decrypt permissions."
   type        = string

From b7d56a744e8aede3ac3555a5686a9b14744272cc Mon Sep 17 00:00:00 2001
From: lorenzo merici <lorenzo.merici@sysdig.com>
Date: Tue, 22 Apr 2025 17:06:53 +0200
Subject: [PATCH 2/2] update comment

---
 modules/integrations/cloud-logs/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 1c42120..116a07b 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -4,7 +4,7 @@ variable "sysdig_secure_account_id" {
 }
 
 variable "is_organizational" {
-  description = "(Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs)"
+  description = "(Optional) Set this field to 'true' to deploy CloudLogs to an AWS Organization (Or specific OUs)"
   type        = bool
   default     = false
 }