sysdiglabs · lorenzo-merici · Apr 22, 2025 · Apr 22, 2025 · Apr 22, 2025
@@ -40,6 +40,14 @@ data "sysdig_secure_cloud_ingestion_assets" "assets" {
   cloud_provider_id  = data.aws_caller_identity.current.account_id
 }
 
+#----------------------------------------------------------
+# Fetch & compute required data for organizational install
+#----------------------------------------------------------
+data "aws_organizations_organization" "org" {
+  count = var.is_organizational ? 1 : 0
+}
+
+
 #-----------------------------------------------------------------------------------------
 # Generate a unique name for resources using random suffix and account ID hash
 #-----------------------------------------------------------------------------------------
@@ -69,6 +77,10 @@ locals {
 
   # StackSet configuration
   stackset_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
+
+  # fetch the AWS Root OU under org
+  # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
+  root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
@@ -247,7 +259,7 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_bucket" {
   stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name
 
   deployment_targets {
-    organizational_unit_ids = var.org_units
+    organizational_unit_ids = local.root_org_unit
     account_filter_type = "INTERSECTION"
     accounts = [local.bucket_account_id]
   }
@@ -268,7 +280,7 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_topic" {
   stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name
 
   deployment_targets {
-    organizational_unit_ids = var.org_units
+    organizational_unit_ids = local.root_org_unit
     account_filter_type = "INTERSECTION"
     accounts = [local.topic_account_id]
   }

@@ -3,6 +3,12 @@ variable "sysdig_secure_account_id" {
   description = "ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account)"
 }
 
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy CloudLogs to an AWS Organization (Or specific OUs)"
+  type        = bool
+  default     = false
+}
+
 variable "bucket_arn" {
   description = "(Required) The ARN of your CloudTrail Bucket"
   type        = string
@@ -78,12 +84,6 @@ variable "timeout" {
   default     = "30m"
 }
 
-variable "org_units" {
-  type        = list(string)
-  description = "List of AWS Organizations organizational unit (OU) IDs in which to create the StackSet instances. Required for cross-account organizational deployments."
-  default     = []
-}
-
 variable "kms_key_arn" {
   description = "ARN of the KMS key used to encrypt the S3 bucket. If provided, the IAM role will be granted decrypt permissions."
   type        = string