diff --git a/README.md b/README.md
index 31d8376..5267161 100644
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ There are four new parameters to configure organizational deployments on the clo
3. `include_accounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
4. `exclude_accounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
-**WARNING**: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
+**DEPRECATION NOTICE**: module variables `organizational_unit_ids` / `org_units` have been DEPRECATED and are no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
### Stackset Instances Installation
diff --git a/modules/agentless-scanning/README.md b/modules/agentless-scanning/README.md
index 4f39374..dec59c8 100644
--- a/modules/agentless-scanning/README.md
+++ b/modules/agentless-scanning/README.md
@@ -62,7 +62,6 @@ No modules.
| [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Deletion window for shared KMS key | `number` | `7` | no |
| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-secure-scanning"` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
| [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | `"878070807337"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
diff --git a/modules/agentless-scanning/locals.tf b/modules/agentless-scanning/locals.tf
index e0649a5..3257726 100644
--- a/modules/agentless-scanning/locals.tf
+++ b/modules/agentless-scanning/locals.tf
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are provided, we fail early
- both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.org_units) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY org_units will be considered. Please use only one of the two methods.
-
- Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -67,27 +37,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -95,9 +60,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.org_units
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -137,23 +99,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -163,10 +120,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/agentless-scanning/organizational.tf b/modules/agentless-scanning/organizational.tf
index 75b500c..1b70b1a 100644
--- a/modules/agentless-scanning/organizational.tf
+++ b/modules/agentless-scanning/organizational.tf
@@ -192,8 +192,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value[1]]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
diff --git a/modules/agentless-scanning/variables.tf b/modules/agentless-scanning/variables.tf
index c8ac57d..dcd3e1f 100644
--- a/modules/agentless-scanning/variables.tf
+++ b/modules/agentless-scanning/variables.tf
@@ -30,16 +30,6 @@ variable "is_organizational" {
default = false
}
-variable "org_units" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
- This field is ignored if `is_organizational = false`
- EOF
- type = set(string)
- default = []
-}
-
variable "regions" {
description = "(Optional) List of regions in which to install Agentless Scanning"
type = set(string)
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 55b6512..0a305c5 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -52,7 +52,6 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
Org unit id to install cspm | `set(string)` | `[]` | no |
| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
diff --git a/modules/config-posture/locals.tf b/modules/config-posture/locals.tf
index b69796e..1fe57f0 100644
--- a/modules/config-posture/locals.tf
+++ b/modules/config-posture/locals.tf
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are provided, we fail early
- both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.org_units) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY org_units will be considered. Please use only one of the two methods.
-
- Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -67,27 +37,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -95,9 +60,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.org_units
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -135,23 +97,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -161,10 +118,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
index d13c82c..2bd8e1f 100644
--- a/modules/config-posture/organizational.tf
+++ b/modules/config-posture/organizational.tf
@@ -110,8 +110,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index 0870a24..0761c89 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -8,15 +8,6 @@ variable "is_organizational" {
description = "true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account)"
}
-variable "org_units" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, org units to install cspm.
- EOF
- type = set(string)
- default = []
-}
-
variable "region" {
type = string
default = ""
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
index f7dc33c..7e529b5 100644
--- a/modules/integrations/cloud-logs/README.md
+++ b/modules/integrations/cloud-logs/README.md
@@ -114,7 +114,6 @@ No modules.
| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `string` | sysdig-secure-cloudlogs | no |
| [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
| [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
-| [org\_units](#input\_org\_units) | (Optional) List of AWS Organizations organizational unit (OU) IDs in which to create the StackSet instances. Required for cross-account organizational deployments. | `list(string)` | `[]` | no |
| [timeout](#input\_timeout) | (Optional) The timeout for StackSet operations | `string` | `"30m"` | no |
## Outputs
diff --git a/modules/integrations/cross-account-event-bridge/README.md b/modules/integrations/cross-account-event-bridge/README.md
index 81e4204..eade58a 100644
--- a/modules/integrations/cross-account-event-bridge/README.md
+++ b/modules/integrations/cross-account-event-bridge/README.md
@@ -75,7 +75,6 @@ No modules.
| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig-secure-events"` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization." | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to setup EventBridge. By default, current region is selected | `set(string)` | `[]` | no |
| [rule\_state](#input\_rule\_state) | State of the rule. When state is ENABLED, the rule is enabled for all events except those delivered by CloudTrail. To also enable the rule for events delivered by CloudTrail, set state to ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role arn to run SELF\_MANAGED stackset | `string` | `""` | no |
diff --git a/modules/integrations/cross-account-event-bridge/locals.tf b/modules/integrations/cross-account-event-bridge/locals.tf
index dd0b791..75cd1d9 100644
--- a/modules/integrations/cross-account-event-bridge/locals.tf
+++ b/modules/integrations/cross-account-event-bridge/locals.tf
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are provided, we fail early
- both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.org_units) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY org_units will be considered. Please use only one of the two methods.
-
- Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -67,27 +37,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -95,9 +60,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.org_units
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -136,23 +98,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -162,10 +119,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/integrations/cross-account-event-bridge/organizational.tf b/modules/integrations/cross-account-event-bridge/organizational.tf
index d476fdc..f7f85ce 100644
--- a/modules/integrations/cross-account-event-bridge/organizational.tf
+++ b/modules/integrations/cross-account-event-bridge/organizational.tf
@@ -101,8 +101,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.eb-rule-stackset[0].name
deployment_targets {
organizational_unit_ids = local.deployment_targets_org_units
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
@@ -125,8 +125,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.eb-role-stackset[0].name
deployment_targets {
organizational_unit_ids = local.deployment_targets_org_units
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
diff --git a/modules/integrations/cross-account-event-bridge/variables.tf b/modules/integrations/cross-account-event-bridge/variables.tf
index e0f8fcb..1821bae 100644
--- a/modules/integrations/cross-account-event-bridge/variables.tf
+++ b/modules/integrations/cross-account-event-bridge/variables.tf
@@ -4,16 +4,6 @@ variable "is_organizational" {
default = false
}
-variable "org_units" {
- description = <<-EOF
- TO BE DEPRECATED: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization.
- This field is ignored if `is_organizational = false`
- EOF
- type = set(string)
- default = []
-}
-
variable "regions" {
description = "(Optional) List of regions in which to setup EventBridge. By default, current region is selected"
type = set(string)
diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md
index 3d2a485..6ba18f8 100644
--- a/modules/integrations/event-bridge/README.md
+++ b/modules/integrations/event-bridge/README.md
@@ -76,7 +76,6 @@ No modules.
| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig-secure-events"` | no |
-| [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization." | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to setup EventBridge. By default, current region is selected | `set(string)` | `[]` | no |
| [rule\_state](#input\_rule\_state) | State of the rule. When state is ENABLED, the rule is enabled for all events except those delivered by CloudTrail. To also enable the rule for events delivered by CloudTrail, set state to ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role arn to run SELF\_MANAGED stackset | `string` | `""` | no |
diff --git a/modules/integrations/event-bridge/locals.tf b/modules/integrations/event-bridge/locals.tf
index 982499c..75cd1d9 100644
--- a/modules/integrations/event-bridge/locals.tf
+++ b/modules/integrations/event-bridge/locals.tf
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are provided, we fail early
- both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.org_units) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY org_units will be considered. Please use only one of the two methods.
-
- Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -67,27 +37,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -95,9 +60,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.org_units
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -136,23 +98,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -162,10 +119,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index 8b1d1e3..3c4dd0f 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -74,8 +74,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_api_dest_instance" {
stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value[1]]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
@@ -97,8 +97,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.eb_role_stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index b5fb6d6..f1ef09f 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -4,16 +4,6 @@ variable "is_organizational" {
default = false
}
-variable "org_units" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization.
- This field is ignored if `is_organizational = false`
- EOF
- type = set(string)
- default = []
-}
-
variable "regions" {
description = "(Optional) List of regions in which to setup EventBridge. By default, current region is selected"
type = set(string)
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index 139c4fd..a8bf0db 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -59,7 +59,6 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
Restrict onboarding to a set of organizational unit identifiers whose child accounts and organizational units are to be onboarded | `set(string)` | `[]` | no |
| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
@@ -77,7 +76,6 @@ No modules.
|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
| [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created |
| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire AWS organization or not |
-| [organizational\_unit\_ids](#output\_organizational\_unit\_ids) | organizational unit ids onboarded |
| [is\_gov\_cloud\_onboarding](#output\_is\_gov\_cloud\_onboarding) | Boolean value to indicate if a govcloud account/organization is being onboarded |
| [include\_ouids](#output\_include\_ouids) | ouids to include for organization |
| [exclude\_ouids](#output\_exclude\_ouids) | ouids to exclude for organization |
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index 0cb7aac..75cd1d9 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are used, we fail early
- both_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old organizational_unit_ids parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.organizational_unit_ids) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY organizational_unit_ids will be considered. Please use only one of the two methods.
-
- Note: organizational_unit_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -67,27 +37,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY organizational_unit_ids is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -95,9 +60,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.organizational_unit_ids
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -136,23 +98,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -162,10 +119,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index c621318..cc741a2 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -60,8 +60,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
@@ -80,12 +80,11 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
resource "sysdig_secure_organization" "aws_organization" {
count = var.is_organizational ? 1 : 0
management_account_id = sysdig_secure_cloud_auth_account.cloud_auth_account.id
- organizational_unit_ids = local.check_old_ouid_param ? var.organizational_unit_ids : []
organization_root_id = local.root_org_unit[0]
- included_organizational_groups = local.check_old_ouid_param ? [] : var.include_ouids
- excluded_organizational_groups = local.check_old_ouid_param ? [] : var.exclude_ouids
- included_cloud_accounts = local.check_old_ouid_param ? [] : var.include_accounts
- excluded_cloud_accounts = local.check_old_ouid_param ? [] : var.exclude_accounts
+ included_organizational_groups = var.include_ouids
+ excluded_organizational_groups = var.exclude_ouids
+ included_cloud_accounts = var.include_accounts
+ excluded_cloud_accounts = var.exclude_accounts
automatic_onboarding = var.enable_automatic_onboarding
lifecycle {
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
index 0269a43..ba821cc 100644
--- a/modules/onboarding/outputs.tf
+++ b/modules/onboarding/outputs.tf
@@ -8,11 +8,6 @@ output "is_organizational" {
description = "onboard the organization in which account resides"
}
-output "organizational_unit_ids" {
- value = var.organizational_unit_ids
- description = "organizational unit ids to onboard"
-}
-
output "is_gov_cloud_onboarding" {
value = var.is_gov_cloud_onboarding
description = "onboard the govcloud account/organization"
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index 94a8696..f1daec4 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -47,16 +47,6 @@ variable "is_gov_cloud_onboarding" {
description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
}
-variable "organizational_unit_ids" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, restrict onboarding to a set of organizational unit identifiers whose child accounts and organizational units are to be onboarded.
- Default: onboard all organizational units.
- EOF
- type = set(string)
- default = []
-}
-
variable "include_ouids" {
description = "(Optional) ouids to include for organization"
type = set(string)
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index e4226c2..19ee9df 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -53,7 +53,6 @@ No modules.
|------|-------------|------|---------|:--------:|
| [tags](#input_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [is_organizational](#input_is_organizational) | Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
-| [organizational_units_ids](#input_org_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| [timeout](#input_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
| [failure_tolerance_percentage](#input_failure_tolerance_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [lambda_scanning_enabled](#input_lambda_scanning_enabled) | Set this field to 'true' to deploy Agentless Workload Scanning for Lambda functions | `bool` | `false` | no |
diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf
index fb28a23..591ded3 100644
--- a/modules/vm-workload-scanning/locals.tf
+++ b/modules/vm-workload-scanning/locals.tf
@@ -21,41 +21,11 @@ data "aws_organizations_organization" "org" {
}
locals {
- # check if both old and new org parameters are used, we fail early
- both_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
- length(var.include_ouids) > 0 ||
- length(var.exclude_ouids) > 0 ||
- length(var.include_accounts) > 0 ||
- length(var.exclude_accounts) > 0
- )
-
- # check if old organizational_unit_ids parameter is provided, for backwards compatibility we will always give preference to it
- check_old_ouid_param = var.is_organizational && length(var.organizational_unit_ids) > 0
-
# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}
-check "validate_org_configuration_params" {
- assert {
- condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning
- error_message = <<-EOT
- WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
- EOT
- }
-
- assert {
- condition = !local.both_org_configuration_params # if this condition is false we throw error
- error_message = <<-EOT
- ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
- ONLY organizational_unit_ids will be considered. Please use only one of the two methods.
-
- Note: organizational_unit_ids is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
- EOT
- }
-}
-
# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
@@ -81,27 +51,22 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
- # case1 - if old method is used where ONLY organizational_unit_ids is provided, use those
- local.check_old_ouid_param ? (
- "old_ouid_param"
+ # case1 - if no include/exclude ous provided, include entire org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+ "entire_org"
) : (
- # case2 - if no include/exclude ous provided, include entire org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
- "entire_org"
+ # case2 - if only included ouids provided, include those ous only
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+ "included_ous_only"
) : (
- # case3 - if only included ouids provided, include those ous only
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
- "included_ous_only"
+ # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+ var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+ "excluded_ous_only"
) : (
- # case4 - if only excluded ouids provided, exclude their accounts from rest of org
- var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
- "excluded_ous_only"
- ) : (
- # case5 - if both include and exclude ouids are provided, includes override excludes
- var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
- "mixed_ous"
- ) : ""
- )
+ # case4 - if both include and exclude ouids are provided, includes override excludes
+ var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+ "mixed_ous"
+ ) : ""
)
)
)
@@ -109,9 +74,6 @@ locals {
# switch cases for various user provided org configuration to be onboarded
deployment_options = {
- old_ouid_param = {
- org_units_to_deploy = var.organizational_unit_ids
- }
entire_org = {
org_units_to_deploy = local.root_org_unit
}
@@ -151,23 +113,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
- # case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop
- local.check_old_ouid_param ? (
- "NONE"
+ # case1 - if only included accounts provided, include those accts as well
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+ "UNION"
) : (
- # case2 - if only included accounts provided, include those accts as well
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
- "UNION"
+ # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+ var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+ "DIFFERENCE"
) : (
- # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
- var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
- "DIFFERENCE"
- ) : (
- # case4 - if both include and exclude accounts are provided, includes override excludes
- var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
- "MIXED"
- ) : ""
- )
+ # case3 - if both include and exclude accounts are provided, includes override excludes
+ var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+ "MIXED"
+ ) : ""
)
)
)
@@ -177,10 +134,6 @@ locals {
# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
- NONE = {
- accounts_to_deploy = []
- account_filter_type = "NONE"
- }
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf
index 8df760f..214bc2f 100644
--- a/modules/vm-workload-scanning/organizational.tf
+++ b/modules/vm-workload-scanning/organizational.tf
@@ -125,8 +125,8 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
stack_set_name = aws_cloudformation_stack_set.scanning_role_stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value]
- accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
- account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+ accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+ account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf
index 05c2562..3ce33cf 100644
--- a/modules/vm-workload-scanning/variables.tf
+++ b/modules/vm-workload-scanning/variables.tf
@@ -12,16 +12,6 @@ variable "is_organizational" {
default = false
}
-variable "organizational_unit_ids" {
- description = <<-EOF
- TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
- When set, list of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization.
- This field is ignored if `is_organizational = false`
- EOF
- type = set(string)
- default = []
-}
-
variable "timeout" {
type = string
description = "Default timeout values for create, update, and delete operations"
diff --git a/test/examples/organization/agentless_scanning.tf b/test/examples/organization/agentless_scanning.tf
index 3a9c382..5a5db1a 100644
--- a/test/examples/organization/agentless_scanning.tf
+++ b/test/examples/organization/agentless_scanning.tf
@@ -8,8 +8,6 @@ module "agentless-scanning" {
regions = ["us-east-1", "us-west-1", "us-west-2"]
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
- # legacy org install
- # org_units = module.onboarding.organizational_unit_ids
# include/exclude org install params
include_ouids = module.onboarding.include_ouids
diff --git a/test/examples/organization/event_bridge.tf b/test/examples/organization/event_bridge.tf
index c441694..be55b23 100644
--- a/test/examples/organization/event_bridge.tf
+++ b/test/examples/organization/event_bridge.tf
@@ -8,8 +8,6 @@ module "event-bridge" {
regions = ["us-east-1", "us-west-1", "us-west-2"]
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
- # legacy org install
- # org_units = module.onboarding.organizational_unit_ids
# include/exclude org install params
include_ouids = module.onboarding.include_ouids
diff --git a/test/examples/organization/event_bridge_gov.tf b/test/examples/organization/event_bridge_gov.tf
index d5e982d..c232679 100644
--- a/test/examples/organization/event_bridge_gov.tf
+++ b/test/examples/organization/event_bridge_gov.tf
@@ -8,8 +8,13 @@ module "event-bridge" {
regions = ["us-gov-east-1"]
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
- org_units = module.onboarding.organizational_unit_ids
is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding
+
+ # include/exclude org install params
+ include_ouids = module.onboarding.include_ouids
+ exclude_ouids = module.onboarding.exclude_ouids
+ include_accounts = module.onboarding.include_accounts
+ exclude_accounts = module.onboarding.exclude_accounts
}
resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
diff --git a/test/examples/organization/onboarding_with_cspm.tf b/test/examples/organization/onboarding_with_cspm.tf
index 060565e..e67ccdb 100644
--- a/test/examples/organization/onboarding_with_cspm.tf
+++ b/test/examples/organization/onboarding_with_cspm.tf
@@ -20,8 +20,6 @@ provider "aws" {
module "onboarding" {
source = "../../../modules/onboarding"
is_organizational = true
- # legacy org install
- # organizational_unit_ids = ["ou-ks5g-dofso0kc"]
# include/exclude org install params
include_ouids = ["ou-1", "ou-2"]
@@ -36,8 +34,6 @@ module "config-posture" {
source = "../../../modules/config-posture"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = true
- # legacy org install
- # org_units = ["ou-ks5g-dofso0kc"]
# include/exclude org install params
include_ouids = module.onboarding.include_ouids
diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf
index e7e7fa7..447b06e 100644
--- a/test/examples/organization/onboarding_with_cspm_gov.tf
+++ b/test/examples/organization/onboarding_with_cspm_gov.tf
@@ -19,17 +19,26 @@ provider "aws" {
module "onboarding" {
source = "../../../modules/onboarding"
- organizational_unit_ids = ["ou-ks5g-dofso0kc"]
is_organizational = true
is_gov_cloud_onboarding = true
+
+ # include/exclude org install params
+ include_ouids = ["ou-1", "ou-2"]
+ exclude_accounts = ["123456789101", "123456789101", "123456789101", "123456789101"]
+ include_accounts = ["123456789101", "123456789101"]
}
module "config-posture" {
source = "../../../modules/config-posture"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
- org_units = ["ou-ks5g-dofso0kc"]
is_organizational = true
is_gov_cloud_onboarding = true
+
+ # include/exclude org install params
+ include_ouids = module.onboarding.include_ouids
+ exclude_ouids = module.onboarding.exclude_ouids
+ include_accounts = module.onboarding.include_accounts
+ exclude_accounts = module.onboarding.exclude_accounts
}
resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
diff --git a/test/examples/organization/vm-workload-scanning-ecs.tf b/test/examples/organization/vm-workload-scanning-ecs.tf
index 7fcc53d..00430fe 100644
--- a/test/examples/organization/vm-workload-scanning-ecs.tf
+++ b/test/examples/organization/vm-workload-scanning-ecs.tf
@@ -2,8 +2,6 @@ module "vm_workload_scanning" {
source = "sysdiglabs/secure/aws//modules/vm-workload-scanning"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
- # legacy org install
- # organizational_unit_ids = module.onboarding.organizational_unit_ids
# include/exclude org install params
include_ouids = module.onboarding.include_ouids
diff --git a/test/examples/organization/vm-workload-scanning-lambda.tf b/test/examples/organization/vm-workload-scanning-lambda.tf
index 3691824..3e0335e 100644
--- a/test/examples/organization/vm-workload-scanning-lambda.tf
+++ b/test/examples/organization/vm-workload-scanning-lambda.tf
@@ -2,8 +2,6 @@ module "vm_workload_scanning" {
source = "sysdiglabs/secure/aws//modules/vm-workload-scanning"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
- # legacy org install
- # organizational_unit_ids = module.onboarding.organizational_unit_ids
# include/exclude org install params
include_ouids = module.onboarding.include_ouids