diff --git a/README.md b/README.md
index 5fbe144..31d8376 100644
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ There are four new parameters to configure organizational deployments on the clo
3. `include_accounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
4. `exclude_accounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
-**WARNING**: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED soon going forward. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
+**WARNING**: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
### Stackset Instances Installation
diff --git a/modules/agentless-scanning/README.md b/modules/agentless-scanning/README.md
index e54650e..4f39374 100644
--- a/modules/agentless-scanning/README.md
+++ b/modules/agentless-scanning/README.md
@@ -62,7 +62,7 @@ No modules.
| [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Deletion window for shared KMS key | `number` | `7` | no |
| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-secure-scanning"` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
| [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | `"878070807337"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
diff --git a/modules/agentless-scanning/locals.tf b/modules/agentless-scanning/locals.tf
index 32cec9d..4096dc3 100644
--- a/modules/agentless-scanning/locals.tf
+++ b/modules/agentless-scanning/locals.tf
@@ -27,7 +27,7 @@ check "validate_org_configuration_params" {
assert {
condition = length(var.org_units) == 0 # if this condition is false we throw warning
error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+ WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}
@@ -37,7 +37,7 @@ check "validate_org_configuration_params" {
ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY org_units will be considered. Please use only one of the two methods.
- Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}
diff --git a/modules/agentless-scanning/variables.tf b/modules/agentless-scanning/variables.tf
index 5d7697d..e70ae6b 100644
--- a/modules/agentless-scanning/variables.tf
+++ b/modules/agentless-scanning/variables.tf
@@ -32,7 +32,7 @@ variable "is_organizational" {
variable "org_units" {
description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
+ TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
This field is ignored if `is_organizational = false`
EOF
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index d122bec..55b6512 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -52,7 +52,7 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
Org unit id to install cspm | `set(string)` | `[]` | no |
+| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
Org unit id to install cspm | `set(string)` | `[]` | no |
| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
diff --git a/modules/config-posture/locals.tf b/modules/config-posture/locals.tf
index e0e1527..b1b397f 100644
--- a/modules/config-posture/locals.tf
+++ b/modules/config-posture/locals.tf
@@ -27,7 +27,7 @@ check "validate_org_configuration_params" {
assert {
condition = length(var.org_units) == 0 # if this condition is false we throw warning
error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+ WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}
@@ -37,7 +37,7 @@ check "validate_org_configuration_params" {
ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY org_units will be considered. Please use only one of the two methods.
- Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index ddeaaf5..553c861 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -10,7 +10,7 @@ variable "is_organizational" {
variable "org_units" {
description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
+ TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, org units to install cspm.
EOF
type = set(string)
diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md
index f9afbd7..3d2a485 100644
--- a/modules/integrations/event-bridge/README.md
+++ b/modules/integrations/event-bridge/README.md
@@ -76,7 +76,7 @@ No modules.
| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig-secure-events"` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization." | `set(string)` | `[]` | no |
+| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization." | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to setup EventBridge. By default, current region is selected | `set(string)` | `[]` | no |
| [rule\_state](#input\_rule\_state) | State of the rule. When state is ENABLED, the rule is enabled for all events except those delivered by CloudTrail. To also enable the rule for events delivered by CloudTrail, set state to ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role arn to run SELF\_MANAGED stackset | `string` | `""` | no |
diff --git a/modules/integrations/event-bridge/locals.tf b/modules/integrations/event-bridge/locals.tf
index 1166adf..c5cd52e 100644
--- a/modules/integrations/event-bridge/locals.tf
+++ b/modules/integrations/event-bridge/locals.tf
@@ -27,7 +27,7 @@ check "validate_org_configuration_params" {
assert {
condition = length(var.org_units) == 0 # if this condition is false we throw warning
error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+ WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}
@@ -37,7 +37,7 @@ check "validate_org_configuration_params" {
ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY org_units will be considered. Please use only one of the two methods.
- Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index 019f73d..b5fb6d6 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -6,7 +6,7 @@ variable "is_organizational" {
variable "org_units" {
description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
+ TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization.
This field is ignored if `is_organizational = false`
EOF
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index 8f21391..593f15d 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -59,7 +59,7 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
Restrict onboarding to a set of organizational unit identifiers whose child accounts and organizational units are to be onboarded | `set(string)` | `[]` | no |
+| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
Restrict onboarding to a set of organizational unit identifiers whose child accounts and organizational units are to be onboarded | `set(string)` | `[]` | no |
| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index 93366a1..6580adb 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -27,7 +27,7 @@ check "validate_org_configuration_params" {
assert {
condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning
error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'organizational_unit_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+ WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}
@@ -37,7 +37,7 @@ check "validate_org_configuration_params" {
ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY organizational_unit_ids will be considered. Please use only one of the two methods.
- Note: organizational_unit_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ Note: organizational_unit_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index bc5f946..4b38e9e 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -49,7 +49,7 @@ variable "is_gov_cloud_onboarding" {
variable "organizational_unit_ids" {
description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
+ TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, restrict onboarding to a set of organizational unit identifiers whose child accounts and organizational units are to be onboarded.
Default: onboard all organizational units.
EOF
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index cb670c2..9d69f28 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -53,7 +53,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [tags](#input_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [is_organizational](#input_is_organizational) | Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
-| [organizational_units_ids](#input_org_units) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| [organizational_units_ids](#input_org_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| [timeout](#input_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
| [failure_tolerance_percentage](#input_failure_tolerance_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [lambda_scanning_enabled](#input_lambda_scanning_enabled) | Set this field to 'true' to deploy Agentless Workload Scanning for Lambda functions | `bool` | `false` | no |
diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf
index 59a1cb6..68e173a 100644
--- a/modules/vm-workload-scanning/locals.tf
+++ b/modules/vm-workload-scanning/locals.tf
@@ -41,7 +41,7 @@ check "validate_org_configuration_params" {
assert {
condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning
error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'organizational_unit_ids': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+ WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}
@@ -51,7 +51,7 @@ check "validate_org_configuration_params" {
ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY organizational_unit_ids will be considered. Please use only one of the two methods.
- Note: organizational_unit_ids is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+ Note: organizational_unit_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}
diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf
index 2a84dac..05c2562 100644
--- a/modules/vm-workload-scanning/variables.tf
+++ b/modules/vm-workload-scanning/variables.tf
@@ -14,7 +14,7 @@ variable "is_organizational" {
variable "organizational_unit_ids" {
description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
+ TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization.
This field is ignored if `is_organizational = false`
EOF