Skip to content

Add migration support for Orgs and bump sysdig versions #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Apr 3, 2025
Merged

Add migration support for Orgs and bump sysdig versions #46

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
51a7717
Add migration support for Orgs and bump sysdig versions
ravinadhruve10 Apr 2, 2025
1c98e31
Fixes after testing
ravinadhruve10 Apr 3, 2025
a8bfa06
Fix test samples
ravinadhruve10 Apr 3, 2025
435f048
Resolved merge conflicts
ravinadhruve10 Apr 3, 2025
3ee1d5e
Fix event-bridge README
ravinadhruve10 Apr 3, 2025
52af0c9
Set include/exclude fields only when org_unit_ids is not present
ravinadhruve10 Apr 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 63 additions & 23 deletions modules/agentless-scanning/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,34 @@ data "aws_organizations_organization" "org" {
}

locals {
# check if both old and new org parameters are used, fail early
check_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
length(var.include_ouids) > 0 ||
length(var.exclude_ouids) > 0 ||
length(var.include_accounts) > 0 ||
length(var.exclude_accounts) > 0
)

# check if old org units parameter is used
check_old_ouid_param = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
length(var.include_ouids) == 0 &&
length(var.exclude_ouids) == 0 &&
length(var.include_accounts) == 0 &&
length(var.exclude_accounts) == 0
)

# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}

check "validate_org_configuration_params" {
assert {
condition = !local.check_org_configuration_params
error_message = "Error: If organizational_unit_ids is populated which is going to be DEPRECATED, variables include_ouids/exclude_ouids/include_accounts/exclude_accounts can not be populated. Please use only one of the two methods."
}
}

# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
Expand All @@ -37,29 +60,37 @@ locals {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
# case1 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
# case1 - if old method is used where ONLY organizational_unit_ids is provided, use those
local.check_old_ouid_param ? (
"old_ouid_param"
) : (
# case2 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
# case2 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
) : (
# case3 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
# case3 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
) : (
# case4 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
# case4 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case5 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
)
)
)
)

# switch cases for various user provided org configuration to be onboarded
deployment_options = {
old_ouid_param = {
org_units_to_deploy = var.organizational_unit_ids
}
entire_org = {
org_units_to_deploy = local.root_org_unit
}
Expand Down Expand Up @@ -96,18 +127,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
# case1 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
# case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop
local.check_old_ouid_param ? (
"NONE"
) : (
# case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
"DIFFERENCE"
# case2 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
) : (
# case3 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
# case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
"DIFFERENCE"
) : (
# case4 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
)
)
)
Expand All @@ -117,6 +153,10 @@ locals {

# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
NONE = {
accounts_to_deploy = []
account_filter_type = "NONE"
}
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
Expand Down
2 changes: 1 addition & 1 deletion modules/agentless-scanning/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ variable "is_organizational" {

variable "org_units" {
description = <<-EOF
DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
TO BE DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization."
EOF
type = set(string)
Expand Down
2 changes: 1 addition & 1 deletion modules/config-posture/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and resources wil
|---------------------------------------------------------------------------|-----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.48 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.51 |

## Providers

Expand Down
86 changes: 63 additions & 23 deletions modules/config-posture/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,34 @@ data "aws_organizations_organization" "org" {
}

locals {
# check if both old and new org parameters are used, fail early
check_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
length(var.include_ouids) > 0 ||
length(var.exclude_ouids) > 0 ||
length(var.include_accounts) > 0 ||
length(var.exclude_accounts) > 0
)

# check if old org units parameter is used
check_old_ouid_param = var.is_organizational && length(var.organizational_unit_ids) > 0 && (
length(var.include_ouids) == 0 &&
length(var.exclude_ouids) == 0 &&
length(var.include_accounts) == 0 &&
length(var.exclude_accounts) == 0
)

# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
}

check "validate_org_configuration_params" {
assert {
condition = !local.check_org_configuration_params
error_message = "Error: If organizational_unit_ids is populated which is going to be DEPRECATED, variables include_ouids/exclude_ouids/include_accounts/exclude_accounts can not be populated. Please use only one of the two methods."
}
}

# *****************************************************************************************************************************************************
# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
#
Expand All @@ -37,29 +60,37 @@ locals {
locals {
# OU CONFIGURATION (determine user provided org configuration)
org_configuration = (
# case1 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
# case1 - if old method is used where ONLY organizational_unit_ids is provided, use those
local.check_old_ouid_param ? (
"old_ouid_param"
) : (
# case2 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
# case2 - if no include/exclude ous provided, include entire org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
"entire_org"
) : (
# case3 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
# case3 - if only included ouids provided, include those ous only
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
"included_ous_only"
) : (
# case4 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
# case4 - if only excluded ouids provided, exclude their accounts from rest of org
var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
"excluded_ous_only"
) : (
# case5 - if both include and exclude ouids are provided, includes override excludes
var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
"mixed_ous"
) : ""
)
)
)
)
)

# switch cases for various user provided org configuration to be onboarded
deployment_options = {
old_ouid_param = {
org_units_to_deploy = var.organizational_unit_ids
}
entire_org = {
org_units_to_deploy = local.root_org_unit
}
Expand Down Expand Up @@ -96,18 +127,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
locals {
# ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
accounts_configuration = (
# case1 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
# case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop
local.check_old_ouid_param ? (
"NONE"
) : (
# case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
"DIFFERENCE"
# case2 - if only included accounts provided, include those accts as well
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
"UNION"
) : (
# case3 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
# case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
"DIFFERENCE"
) : (
# case4 - if both include and exclude accounts are provided, includes override excludes
var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
"MIXED"
) : ""
)
)
)
)
Expand All @@ -117,6 +153,10 @@ locals {

# switch cases for various user provided accounts configuration to be onboarded
deployment_account_options = {
NONE = {
accounts_to_deploy = []
account_filter_type = "NONE"
}
UNION = {
accounts_to_deploy = var.include_accounts
account_filter_type = "UNION"
Expand Down
2 changes: 1 addition & 1 deletion modules/config-posture/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ variable "is_organizational" {

variable "org_units" {
description = <<-EOF
DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
TO BE DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
When set, org units to install cspm."
EOF
type = set(string)
Expand Down
2 changes: 1 addition & 1 deletion modules/config-posture/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.48"
version = "~> 1.51"
}
}
}
2 changes: 1 addition & 1 deletion modules/integrations/cloud-logs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ If instrumenting an AWS Gov account/organization, resources will be created in `
|---------------------------------------------------------------------------|-----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.48 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.51 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |

## Providers
Expand Down
2 changes: 1 addition & 1 deletion modules/integrations/cloud-logs/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.48"
version = "~> 1.51"
}
random = {
source = "hashicorp/random"
Expand Down
Loading