Deprecate legacy CFT parameters for OUs (#161)

DEPRECATION NOTICE
-----------------------
Deprecating the following parameter from all templates :-

- OrganizationalUnitIDs

With this breaking change, above legacy param will no longer be supported for Secure installs.

Recommended Solutions
------------------------
- For new Foundational installs: Users can use the new params only for including and excluding organizational_units and/or accounts.

- For existing installs:
  - It is highly recommended to migrate to using new parameters. Please work with Sysdig to migrate your CFT installs to use new params instead to achieve the same deployment outcome.
  - Pin and use older template version if you do not wish to migrate.

Author: ravinadhruve10

modules/Makefile

@@ -57,7 +57,6 @@ deploy:
 			"ExternalID=$(PARAM_EXTERNAL_ID)" \
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"Partition=$(PARAM_PARTITION)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
@@ -76,7 +75,6 @@ deploy:
 			"IngestionUrl=$(PARAM_INGESTION_URL)" \
 			"RateLimit=$(PARAM_RATE_LIMIT)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"Partition=$(PARAM_PARTITION)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
@@ -93,7 +91,6 @@ deploy:
 			"Regions=$(PARAM_REGIONS)" \
 			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"Partition=$(PARAM_PARTITION)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
@@ -109,7 +106,6 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"BucketARN=$(PARAM_BUCKET_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
 			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
@@ -124,7 +120,6 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"Regions=$(PARAM_REGIONS)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
 			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
@@ -140,7 +135,6 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"RootOUID=$(PARAM_ROOT_OU_ID)" \
 			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
 			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \

modules/README.md

@@ -12,7 +12,6 @@ Modular templates support cross sections of Sysdig Secure feature sets. Each tem
 
 Organizations are supported by setting the following template parameters
 * `IsOrganizational=true`
-* `OrganizationalUnitIDs=ou-...` (to be deprecated on 30th November, 2025, please read below)
 
 ### Organizational Install Configurations
 
@@ -22,4 +21,4 @@ Following are the new parameters to configure organizational deployments on the
 3. `IncludeAccounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
 4. `ExcludeAccounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
 
-**WARNING**: module template parameter `OrganizationalUnitIDs` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your CFT based installs to use `IncludeOUIDs` instead to achieve the same deployment outcome.
+**DEPRECATION NOTICE**: module template parameter `OrganizationalUnitIDs` has been DEPRECATED and is no longer supported. Please work with Sysdig to migrate your CFT based installs to use `IncludeOUIDs` instead to achieve the same deployment outcome.

modules/foundational.cft.yaml

@@ -10,7 +10,6 @@ Metadata:
       - ExternalID
       - TrustedIdentity
       - IsOrganizational
-      - OrganizationalUnitIDs
       - Partition
       - RootOUID
       - IncludeOUIDs
@@ -25,8 +24,6 @@ Metadata:
         default: Trusted Identity
       IsOrganizational:
         default: Is Organizational
-      OrganizationalUnitIDs:
-        default: (TO BE DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs
       Partition:
         default: AWS Partition
       RootOUID:
@@ -57,9 +54,6 @@ Parameters:
     AllowedValues:
     - 'true'
     - 'false'
-  OrganizationalUnitIDs:
-    Type: CommaDelimitedList
-    Description: (WARNING - TO BE DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   Partition:
     Type: String
     Description: AWS Partition of your account or organization to create resources in
@@ -81,16 +75,8 @@ Conditions:
     Fn::Equals:
     - Ref: IsOrganizational
     - 'true'
-  # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it
-  IsOldOuidConfigured:
-    !And
-    - !Condition IsOrganizational
-    - !Not
-      - !Equals
-        - !Join ["", !Ref OrganizationalUnitIDs]
-        - ''
 
-  # Else, check for new Inclusion and Exclusion params
+  # check for new Inclusion and Exclusion params
   # INCLUSIONS
   OUInclusionsConfigured:
     !And
@@ -282,28 +268,19 @@ Resources:
       - DeploymentTargets:
           OrganizationalUnitIds:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref OrganizationalUnitIDs
-            - Fn::If:
-              - AllowedInclusions
-              - !Ref IncludeOUIDs
-              - !Ref RootOUID
+            - AllowedInclusions
+            - !Ref IncludeOUIDs
+            - !Ref RootOUID
           AccountFilterType:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - "DIFFERENCE"
-              - "NONE"
+            - AccountExclusionsConfigured
+            - "DIFFERENCE"
+            - "NONE"
           Accounts:
             Fn::If:
-            - IsOldOuidConfigured
+            - AccountExclusionsConfigured
+            - !Ref ExcludeAccounts
             - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - !Ref ExcludeAccounts
-              - !Ref 'AWS::NoValue'
         Regions:
         - Ref: AWS::Region
       TemplateBody: |

modules/log_ingestion.events.cft.yaml

@@ -19,7 +19,6 @@ Metadata:
       - Regions
       - RuleState
       - IsOrganizational
-      - OrganizationalUnitIDs
       - Partition
       - RootOUID
       - IncludeOUIDs
@@ -46,8 +45,6 @@ Metadata:
         default: EventBridge Rule event pattern
       IsOrganizational:
         default: Is Organizational
-      OrganizationalUnitIDs:
-        default: (TO BE DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs
       Partition:
         default: AWS Partition
       RootOUID:
@@ -84,9 +81,6 @@ Parameters:
   Regions:
     Type: CommaDelimitedList
     Description: Comma separated list of regions to monitor with EventBridge
-  OrganizationalUnitIDs:
-    Type: CommaDelimitedList
-    Description: (WARNING - TO BE DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   RuleState:
     Type: String
     Description: The state of the EventBridge Rule
@@ -145,16 +139,8 @@ Conditions:
     Fn::Equals:
     - Ref: IsOrganizational
     - 'true'
-  # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it
-  IsOldOuidConfigured:
-    !And
-    - !Condition IsOrganizational
-    - !Not
-      - !Equals
-        - !Join ["", !Ref OrganizationalUnitIDs]
-        - ''
 
-  # Else, check for new Inclusion and Exclusion params
+  # check for new Inclusion and Exclusion params
   # INCLUSIONS
   OUInclusionsConfigured:
     !And
@@ -418,28 +404,19 @@ Resources:
       - DeploymentTargets:
           OrganizationalUnitIds:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref OrganizationalUnitIDs
-            - Fn::If:
-              - AllowedInclusions
-              - !Ref IncludeOUIDs
-              - !Ref RootOUID
+            - AllowedInclusions
+            - !Ref IncludeOUIDs
+            - !Ref RootOUID
           AccountFilterType:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - "DIFFERENCE"
-              - "NONE"
+            - AccountExclusionsConfigured
+            - "DIFFERENCE"
+            - "NONE"
           Accounts:
             Fn::If:
-            - IsOldOuidConfigured
+            - AccountExclusionsConfigured
+            - !Ref ExcludeAccounts
             - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - !Ref ExcludeAccounts
-              - !Ref 'AWS::NoValue'
         Regions: [!Ref "AWS::Region"]
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"
@@ -550,28 +527,19 @@ Resources:
       - DeploymentTargets:
           OrganizationalUnitIds:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref OrganizationalUnitIDs
-            - Fn::If:
-              - AllowedInclusions
-              - !Ref IncludeOUIDs
-              - !Ref RootOUID
+            - AllowedInclusions
+            - !Ref IncludeOUIDs
+            - !Ref RootOUID
           AccountFilterType:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - "DIFFERENCE"
-              - "NONE"
+            - AccountExclusionsConfigured
+            - "DIFFERENCE"
+            - "NONE"
           Accounts:
             Fn::If:
-            - IsOldOuidConfigured
+            - AccountExclusionsConfigured
+            - !Ref ExcludeAccounts
             - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - !Ref ExcludeAccounts
-              - !Ref 'AWS::NoValue'
         Regions: !Ref Regions
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"

modules/log_ingestion.legacy_events.cft.yaml

@@ -17,7 +17,6 @@ Metadata:
       - Regions
       - RuleState
       - IsOrganizational
-      - OrganizationalUnitIDs
       - Partition
       - RootOUID
       - IncludeOUIDs
@@ -40,8 +39,6 @@ Metadata:
         default: EventBridge Rule event pattern
       IsOrganizational:
         default: Is Organizational
-      OrganizationalUnitIDs:
-        default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs
       Partition:
         default: AWS Partition (GovCloud Only)
       RootOUID:
@@ -73,9 +70,6 @@ Parameters:
   Regions:
     Type: CommaDelimitedList
     Description: Comma separated list of regions to monitor with EventBridge
-  OrganizationalUnitIDs:
-    Type: CommaDelimitedList
-    Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   RuleState:
     Type: String
     Description: The state of the EventBridge Rule
@@ -136,16 +130,8 @@ Conditions:
     Fn::Equals:
     - Ref: IsOrganizational
     - 'true'
-  # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it
-  IsOldOuidConfigured:
-    !And
-    - !Condition IsOrganizational
-    - !Not
-      - !Equals
-        - !Join ["", !Ref OrganizationalUnitIDs]
-        - ''
 
-  # Else, check for new Inclusion and Exclusion params
+  # check for new Inclusion and Exclusion params
   # INCLUSIONS
   OUInclusionsConfigured:
     !And
@@ -368,28 +354,19 @@ Resources:
       - DeploymentTargets:
           OrganizationalUnitIds:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref OrganizationalUnitIDs
-            - Fn::If:
-              - AllowedInclusions
-              - !Ref IncludeOUIDs
-              - !Ref RootOUID
+            - AllowedInclusions
+            - !Ref IncludeOUIDs
+            - !Ref RootOUID
           AccountFilterType:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - "DIFFERENCE"
-              - "NONE"
+            - AccountExclusionsConfigured
+            - "DIFFERENCE"
+            - "NONE"
           Accounts:
             Fn::If:
-            - IsOldOuidConfigured
+            - AccountExclusionsConfigured
+            - !Ref ExcludeAccounts
             - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - !Ref ExcludeAccounts
-              - !Ref 'AWS::NoValue'
         Regions: [!Ref "AWS::Region"]
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"
@@ -479,28 +456,19 @@ Resources:
       - DeploymentTargets:
           OrganizationalUnitIds:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref OrganizationalUnitIDs
-            - Fn::If:
-              - AllowedInclusions
-              - !Ref IncludeOUIDs
-              - !Ref RootOUID
+            - AllowedInclusions
+            - !Ref IncludeOUIDs
+            - !Ref RootOUID
           AccountFilterType:
             Fn::If:
-            - IsOldOuidConfigured
-            - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - "DIFFERENCE"
-              - "NONE"
+            - AccountExclusionsConfigured
+            - "DIFFERENCE"
+            - "NONE"
           Accounts:
             Fn::If:
-            - IsOldOuidConfigured
+            - AccountExclusionsConfigured
+            - !Ref ExcludeAccounts
             - !Ref 'AWS::NoValue'
-            - Fn::If:
-              - AccountExclusionsConfigured
-              - !Ref ExcludeAccounts
-              - !Ref 'AWS::NoValue'
         Regions: !Ref Regions
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"