sysdiglabs · ravinadhruve10 · Apr 3, 2025 · Apr 2, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -7,11 +7,41 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
+  # check if both old and new org parameters are provided, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
+  length(var.include_ouids) > 0 ||
+  length(var.exclude_ouids) > 0 ||
+  length(var.include_accounts) > 0 ||
+  length(var.exclude_accounts) > 0
+  )
+
+  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
+
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.org_units) == 0  # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
+    ONLY org_units will be considered. Please use only one of the two methods.
+
+    Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}
+
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -37,29 +67,37 @@ locals {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if no include/exclude ous provided, include entire org
-    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-      "entire_org"
+    # case1 - if old method is used where ONLY org_units is provided, use those
+    local.check_old_ouid_param ? (
+      "old_ouid_param"
     ) : (
-      # case2 - if only included ouids provided, include those ous only
-      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-        "included_ous_only"
+      # case2 - if no include/exclude ous provided, include entire org
+      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+        "entire_org"
       ) : (
-        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
-        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-          "excluded_ous_only"
+        # case3 - if only included ouids provided, include those ous only
+        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+          "included_ous_only"
         ) : (
-          # case4 - if both include and exclude ouids are provided, includes override excludes
-          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-            "mixed_ous"
-          ) : ""
+          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
+          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+            "excluded_ous_only"
+          ) : (
+            # case5 - if both include and exclude ouids are provided, includes override excludes
+            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+              "mixed_ous"
+            ) : ""
+          )
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
+    old_ouid_param = {
+      org_units_to_deploy = var.org_units
+    }
     entire_org = {
        org_units_to_deploy = local.root_org_unit
     }
@@ -96,18 +134,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if only included accounts provided, include those accts as well
-    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-      "UNION"
+    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
+    local.check_old_ouid_param ? (
+      "NONE"
     ) : (
-      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-      var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
-        "DIFFERENCE"
+      # case2 - if only included accounts provided, include those accts as well
+      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+        "UNION"
       ) : (
-        # case3 - if both include and exclude accounts are provided, includes override excludes
-        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-          "MIXED"
-        ) : ""
+        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+        var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+          "DIFFERENCE"
+        ) : (
+          # case4 - if both include and exclude accounts are provided, includes override excludes
+          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+            "MIXED"
+          ) : ""
+        )
       )
     )
   )
@@ -117,6 +160,10 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
+    NONE = {
+      accounts_to_deploy = []
+      account_filter_type = "NONE"
+    }
     UNION = {
       accounts_to_deploy = var.include_accounts
       account_filter_type = "UNION"

@@ -189,8 +189,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
   stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
-    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
-    account_filter_type     = local.deployment_targets_accounts_filter
+    accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
+    account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100

@@ -32,8 +32,9 @@ variable "is_organizational" {
 
 variable "org_units" {
   description = <<-EOF
-    DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
-    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization."
+    TO BE DEPRECATED: Please migrate to using `include_ouids` instead.
+    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
+    This field is ignored if `is_organizational = false`
     EOF
   type        = set(string)
   default     = []

@@ -7,11 +7,41 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
+  # check if both old and new org parameters are provided, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
+  length(var.include_ouids) > 0 ||
+  length(var.exclude_ouids) > 0 ||
+  length(var.include_accounts) > 0 ||
+  length(var.exclude_accounts) > 0
+  )
+
+  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
+
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.org_units) == 0  # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
+    ONLY org_units will be considered. Please use only one of the two methods.
+
+    Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}
+
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -37,29 +67,37 @@ locals {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if no include/exclude ous provided, include entire org
-    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-      "entire_org"
+    # case1 - if old method is used where ONLY org_units is provided, use those
+    local.check_old_ouid_param ? (
+      "old_ouid_param"
     ) : (
-      # case2 - if only included ouids provided, include those ous only
-      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-        "included_ous_only"
+      # case2 - if no include/exclude ous provided, include entire org
+      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+        "entire_org"
       ) : (
-        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
-        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-          "excluded_ous_only"
+        # case3 - if only included ouids provided, include those ous only
+        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+          "included_ous_only"
         ) : (
-          # case4 - if both include and exclude ouids are provided, includes override excludes
-          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-            "mixed_ous"
-          ) : ""
+          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
+          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+            "excluded_ous_only"
+          ) : (
+            # case5 - if both include and exclude ouids are provided, includes override excludes
+            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+              "mixed_ous"
+            ) : ""
+          )
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
+    old_ouid_param = {
+      org_units_to_deploy = var.org_units
+    }
     entire_org = {
        org_units_to_deploy = local.root_org_unit
     }
@@ -96,18 +134,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if only included accounts provided, include those accts as well
-    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-      "UNION"
+    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
+    local.check_old_ouid_param ? (
+      "NONE"
     ) : (
-      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-      var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
-        "DIFFERENCE"
+      # case2 - if only included accounts provided, include those accts as well
+      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+        "UNION"
       ) : (
-        # case3 - if both include and exclude accounts are provided, includes override excludes
-        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-          "MIXED"
-        ) : ""
+        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+        var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+          "DIFFERENCE"
+        ) : (
+          # case4 - if both include and exclude accounts are provided, includes override excludes
+          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+            "MIXED"
+          ) : ""
+        )
       )
     )
   )
@@ -117,6 +160,10 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
+    NONE = {
+      accounts_to_deploy = []
+      account_filter_type = "NONE"
+    }
     UNION = {
       accounts_to_deploy = var.include_accounts
       account_filter_type = "UNION"

@@ -82,8 +82,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
   stack_set_name = aws_cloudformation_stack_set.stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
-    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
-    account_filter_type     = local.deployment_targets_accounts_filter
+    accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
+    account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100

@@ -10,8 +10,8 @@ variable "is_organizational" {
 
 variable "org_units" {
   description = <<-EOF
-    DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
-    When set, org units to install cspm."
+    TO BE DEPRECATED: Please migrate to using `include_ouids` instead.
+    When set, org units to install cspm.
     EOF
   type        = set(string)
   default     = []

@@ -21,15 +21,15 @@ If instrumenting an AWS Gov account/organization, IAM policies and event bridge
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.39 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.48 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.39 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.48 |
 
 ## Modules