Update Org onboarding to honor include/exclude (#39)

* Update Org onboarding to honor include/exclude

Change summary:
----------------
- For Foundational onboarding, update the stackset deployment targets
  to honor the various include/exclude ous/accounts configuration
  input(s) provided by the user.
- Added a section in README.

* Handle account exclusions better

* Remove comment

* Move locals to separate tf

* Honor include/exclude for all modules org installs

* Fix local var to read set

* add version and root id field

* Update organizational.tf

* Refactoring to work around unsupported AWS UNION filter

- Modified the logic for include support:
  Inclusions with UNION filter don't work due to an AWS bug.
  Added temp change to then install resources on entire org.
- Modified the logic for handling exclusions better and cleaner
- Updated the test example snippets for all features (commercial installs)

* Remove unncessary comment

* Fix description comments

* Fix var name reference

* Keeping provider versions consistent

---------

Co-authored-by: Jose Pablo Camacho <[email protected]>

Author: ravinadhruve10

README.md

@@ -65,6 +65,16 @@ Notice that:
 
 <br/>
 
+## Organizational Install Configurations
+
+There are four new parameters to configure organizational deployments on the cloud for Sysdig Secure for Cloud :-
+1. `include_ouids` - List of AWS Organizational Unit IDs to deploy the Sysdig Secure for Cloud stack resources in.
+2. `exclude_ouids` - List of AWS Organizational Unit IDs to exclude deploying the Sysdig Secure for Cloud stack resources in.
+3. `include_accounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud stack resources in.
+4. `exclude_accounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud stack resources in.
+
+Note: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED soon going forward. You can use `include_ouids` instead to achieve the same deployment outcome.
+
 ## Best practices
 
 For contributing to existing modules or adding new modules, below are some of the best practices recommended :-

modules/agentless-scanning/README.md

@@ -70,6 +70,11 @@ No modules.
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
+| <a name="input_include_ouids"></a> [include\_ouids](#input\_include\_ouids)                                                | ouids to include for organization                                                                                                                     | `set(string)` | `[]`                                                        |    no    |
+| <a name="input_exclude_ouids"></a> [exclude\_ouids](#input\_exclude\_ouids)                                                | ouids to exclude for organization                                                                                                                     | `set(string)` | `[]`                                                        |    no    |
+| <a name="input_include_accounts"></a> [include\_accounts](#input\_include\_accounts)                                       | accounts to include for organization                                                                                                                  | `set(string)` | `[]`                                                        |    no    |
+| <a name="input_exclude_accounts"></a> [exclude\_accounts](#input\_exclude\_accounts)                                       | accounts to exclude for organization                                                                                                                  | `set(string)` | `[]`                                                        |    no    |
+
 
 ## Outputs
 

modules/agentless-scanning/locals.tf

@@ -0,0 +1,153 @@
+#----------------------------------------------------------
+# Fetch & compute required data for organizational install
+#----------------------------------------------------------
+
+data "aws_organizations_organization" "org" {
+  count = var.is_organizational ? 1 : 0
+}
+
+locals {
+  # fetch the AWS Root OU under org
+  # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
+  root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
+}
+
+# *****************************************************************************************************************************************************
+# INCLUDE/EXCLUDE CONFIGURATION SUPPORT
+#
+# 1. Inclusions will always be handled for TF cloud provisioning.
+#    NOTE:
+#    Till AWS issue with UNION filter (https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100)
+#    is fixed, we can't deploy using UNION filters for inclusions. As a workaround to ensure we don't skip any accounts, we deploy it to entire org.
+#
+# 2. We handle exclusions when only exclusion parameters are provided i.e out of all 4 configuration inputs,
+#      a. only exclude_ouids are provided, OR
+#      b. only exclude_accounts are provided, OR
+#      c. only exclude_ouids AND exclude_accounts are provided
+#    Else we ignore exclusions during cloud resource provisioning through TF. This is because AWS does not allow both operations - to include some
+#    accounts and to exclude some. Hence, we will always prioritize include over exclude.
+#
+# 3. Sysdig however will honor all combinations of configuration inputs exactly as desired.
+# *****************************************************************************************************************************************************
+
+#------------------------------------------------------------
+# Manage configurations to determine OU targets to deploy in
+#------------------------------------------------------------
+
+locals {
+  # OU CONFIGURATION (determine user provided org configuration)
+  org_configuration = (
+    # case1 - if no include/exclude ous provided, include entire org
+    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+      "entire_org"
+    ) : (
+      # case2 - if only included ouids provided, include those ous only
+      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+        "included_ous_only"
+      ) : (
+        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+          "excluded_ous_only"
+        ) : (
+          # case4 - if both include and exclude ouids are provided, includes override excludes
+          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+            "mixed_ous"
+          ) : ""
+        )
+      )
+    )
+  )
+
+  # switch cases for various user provided org configuration to be onboarded
+  deployment_options = {
+    entire_org = {
+       org_units_to_deploy = local.root_org_unit
+    }
+    included_ous_only = {
+      org_units_to_deploy = var.include_ouids
+    }
+    excluded_ous_only = {
+      # onboard entire org and filter out all accounts in excluded OUs using account filter
+      org_units_to_deploy = local.root_org_unit
+    }
+    mixed_ous = {
+      # if both include and exclude ouids are provided, includes override excludes
+      org_units_to_deploy = var.include_ouids
+    }
+    default = {
+      org_units_to_deploy = local.root_org_unit
+    }
+  }
+
+  # final targets to deploy organizational resources in
+  deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+}
+
+#-----------------------------------------------------------------
+# Manage configurations to determine account targets to deploy in
+#-----------------------------------------------------------------
+
+# if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
+data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
+  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  parent_id = each.key
+}
+
+locals {
+  # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
+  accounts_configuration = (
+    # case1 - if only included accounts provided, include those accts as well
+    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+      "UNION"
+    ) : (
+      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+      var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+        "DIFFERENCE"
+      ) : (
+        # case3 - if both include and exclude accounts are provided, includes override excludes
+        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+          "MIXED"
+        ) : ""
+      )
+    )
+  )
+
+  ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ])
+  accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts)
+
+  # switch cases for various user provided accounts configuration to be onboarded
+  deployment_account_options = {
+    UNION = {
+      accounts_to_deploy = var.include_accounts
+      account_filter_type = "UNION"
+    }
+    DIFFERENCE = {
+      accounts_to_deploy = local.accounts_to_exclude
+      account_filter_type = "DIFFERENCE"
+    }
+    MIXED = {
+      accounts_to_deploy = var.include_accounts
+      account_filter_type = "UNION"
+    }
+    default = {
+      # default when neither of include/exclude accounts are provided
+      accounts_to_deploy = []
+      account_filter_type = "NONE"
+    }
+  }
+
+  # list of accounts to deploy organizational resources in
+  deployment_targets_accounts = lookup(local.deployment_account_options, local.accounts_configuration, local.deployment_account_options.default)
+}
+
+# -----------------------------------------------------------------------------------------------------
+# Remove below conditional once AWS issue is fixed -
+# https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100
+# -----------------------------------------------------------------------------------------------------
+locals {
+  # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested.
+  # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter.
+  # i.e till we can't deploy UNION, we deploy it all
+  deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy
+  deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type
+}

modules/agentless-scanning/organizational.tf

@@ -7,14 +7,6 @@
 # - an Alias by the same name for the respective key, in each region of region list.
 #-----------------------------------------------------------------------------------------------------------------------
 
-data "aws_organizations_organization" "org" {
-  count = var.is_organizational ? 1 : 0
-}
-
-locals {
-  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
-}
-
 #-----------------------------------------------------------------------------------------------------------------------
 # stackset and stackset instance deployed for all accounts in all organization units
 #   - IAM Role
@@ -196,7 +188,9 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.organizational_unit_ids
+    organizational_unit_ids = local.deployment_targets_org_units
+    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+    account_filter_type     = local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100

modules/agentless-scanning/variables.tf

@@ -31,7 +31,10 @@ variable "is_organizational" {
 }
 
 variable "org_units" {
-  description = "(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`"
+  description = <<-EOF
+    DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
+    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization."
+    EOF
   type        = set(string)
   default     = []
 }
@@ -81,4 +84,28 @@ variable "failure_tolerance_percentage" {
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)"
+}
+
+variable "include_ouids" {
+  description = "(Optional) ouids to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_ouids" {
+  description = "(Optional) ouids to exclude for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "include_accounts" {
+  description = "(Optional) accounts to include for organization"
+  type        = set(string)
+  default     = []
+}
+
+variable "exclude_accounts" {
+  description = "(Optional) accounts to exclude for organization"
+  type        = set(string)
+  default     = []
 }

modules/config-posture/README.md

@@ -19,7 +19,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and resources wil
 |---------------------------------------------------------------------------|-----------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 5.60.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~>1.39    |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~>1.48    |
 
 ## Providers