Skip to content

Deprecate legacy TF module variables for OUs #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ivanbesinovic-sysdig merged 2 commits into from
Dec 1, 2025
Merged

Deprecate legacy TF module variables for OUs #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a2c5a9
Deprecate legacy TF module variables for OUs
ravinadhruve10 Nov 22, 2025
631885e
Update test files
ravinadhruve10 Nov 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ There are four new parameters to configure organizational deployments on the clo
3. `include_accounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
4. `exclude_accounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.

**WARNING**: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
**DEPRECATION NOTICE**: module variables `organizational_unit_ids` / `org_units` have been DEPRECATED and are no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.

### Stackset Instances Installation

Expand Down
1 change: 0 additions & 1 deletion modules/agentless-scanning/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ No modules.
| <a name="input_kms_key_deletion_window"></a> [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Deletion window for shared KMS key | `number` | `7` | no |
| <a name="input_mgt_stackset"></a> [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| <a name="input_name"></a> [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-secure-scanning"` | no |
| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.<br>(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
| <a name="input_scanning_account_id"></a> [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | `"878070807337"` | no |
| <a name="input_stackset_admin_role_arn"></a> [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
Expand Down
93 changes: 23 additions & 70 deletions modules/agentless-scanning/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}

locals {
# check if both old and new org parameters are provided, we fail early
both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
length(var.include_ouids) > 0 ||
length(var.exclude_ouids) > 0 ||
length(var.include_accounts) > 0 ||
length(var.exclude_accounts) > 0
)

# check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
check_old_ouid_param = var.is_organizational && length(var.org_units) > 0

# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}

check "validate_org_configuration_params" {
assert {
condition = length(var.org_units) == 0 # if this condition is false we throw warning
error_message = <<-EOT
WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}

assert {
condition = !local.both_org_configuration_params # if this condition is false we throw error
error_message = <<-EOT
ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY org_units will be considered. Please use only one of the two methods.

Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}

# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
Expand All @@ -67,37 +37,29 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
# case1 - if old method is used where ONLY org_units is provided, use those
local.check_old_ouid_param ? (
"old_ouid_param"
# case1 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
) : (
# case2 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
# case2 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
) : (
# case3 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
# case3 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case4 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case5 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
# case4 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
)
)
)

# switch cases for various user provided org configuration to be onboarded
deployment_options = {
old_ouid_param = {
org_units_to_deploy = var.org_units
}
entire_org = {
org_units_to_deploy = local.root_org_unit
}
Expand Down Expand Up @@ -137,23 +99,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
# case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
local.check_old_ouid_param ? (
"NONE"
# case1 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
) : (
# case2 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
# case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
"DIFFERENCE"
) : (
# case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
"DIFFERENCE"
) : (
# case4 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
# case3 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
)
)
Expand All @@ -163,10 +120,6 @@ locals {

# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
NONE = {
accounts_to_deploy = []
account_filter_type = "NONE"
}
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
Expand Down
4 changes: 2 additions & 2 deletions modules/agentless-scanning/organizational.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,8 +192,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
deployment_targets {
organizational_unit_ids = [each.value[1]]
accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
account_filter_type = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
accounts = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
account_filter_type = local.deployment_targets_accounts_filter
}
operation_preferences {
max_concurrent_percentage = 100
Expand Down
10 changes: 0 additions & 10 deletions modules/agentless-scanning/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,6 @@ variable "is_organizational" {
default = false
}

variable "org_units" {
description = <<-EOF
TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
This field is ignored if `is_organizational = false`
EOF
type = set(string)
default = []
}

variable "regions" {
description = "(Optional) List of regions in which to install Agentless Scanning"
type = set(string)
Expand Down
1 change: 0 additions & 1 deletion modules/config-posture/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| <a name="input_failure_tolerance_percentage"></a> [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.<br>Org unit id to install cspm | `set(string)` | `[]` | no |
| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
| <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
Expand Down
93 changes: 23 additions & 70 deletions modules/config-posture/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
}

locals {
# check if both old and new org parameters are provided, we fail early
both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
length(var.include_ouids) > 0 ||
length(var.exclude_ouids) > 0 ||
length(var.include_accounts) > 0 ||
length(var.exclude_accounts) > 0
)

# check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
check_old_ouid_param = var.is_organizational && length(var.org_units) > 0

# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}

check "validate_org_configuration_params" {
assert {
condition = length(var.org_units) == 0 # if this condition is false we throw warning
error_message = <<-EOT
WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
EOT
}

assert {
condition = !local.both_org_configuration_params # if this condition is false we throw error
error_message = <<-EOT
ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
ONLY org_units will be considered. Please use only one of the two methods.

Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
EOT
}
}

# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
Expand All @@ -67,37 +37,29 @@ check "validate_org_configuration_params" {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
# case1 - if old method is used where ONLY org_units is provided, use those
local.check_old_ouid_param ? (
"old_ouid_param"
# case1 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
) : (
# case2 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
# case2 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
) : (
# case3 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
# case3 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case4 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case5 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
# case4 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
)
)
)

# switch cases for various user provided org configuration to be onboarded
deployment_options = {
old_ouid_param = {
org_units_to_deploy = var.org_units
}
entire_org = {
org_units_to_deploy = local.root_org_unit
}
Expand Down Expand Up @@ -135,23 +97,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
# case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
local.check_old_ouid_param ? (
"NONE"
# case1 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
) : (
# case2 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
# case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
"DIFFERENCE"
) : (
# case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
"DIFFERENCE"
) : (
# case4 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
# case3 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
)
)
Expand All @@ -161,10 +118,6 @@ locals {

# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
NONE = {
accounts_to_deploy = []
account_filter_type = "NONE"
}
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
Expand Down
Loading