Add migration support for Orgs and bump sysdig versions (#46)

* Add migration support for Orgs and bump sysdig versions

Change summary:
----------------
- To keep things backwards compatible for supporting migration
from old variable to new variables for org onboarding, adding
the necessary support.
- Also, bumping up sysdig provider revisions across all modules to 1.51

* Fixes after testing

Fix summary:
------------
1. Updated error and warnings for deprecated
2. Polished the messages
3. Downgraded the sysdig provider version back to 1.48
4. Added provision to not recreate stacksets
5. If old param is present (ONLY or with include/exclude), we throw DEPRECATED warning &
   indicate we give preference to old param to maintain backwards compatibility.

* Fix test samples

* Fix event-bridge README

* Set include/exclude fields only when org_unit_ids is not present

Author: ravinadhruve10

modules/agentless-scanning/locals.tf

@@ -7,11 +7,41 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
+  # check if both old and new org parameters are provided, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
+  length(var.include_ouids) > 0 ||
+  length(var.exclude_ouids) > 0 ||
+  length(var.include_accounts) > 0 ||
+  length(var.exclude_accounts) > 0
+  )
+
+  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
+
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.org_units) == 0  # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
+    ONLY org_units will be considered. Please use only one of the two methods.
+
+    Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}
+
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -37,29 +67,37 @@ locals {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if no include/exclude ous provided, include entire org
-    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-      "entire_org"
+    # case1 - if old method is used where ONLY org_units is provided, use those
+    local.check_old_ouid_param ? (
+      "old_ouid_param"
     ) : (
-      # case2 - if only included ouids provided, include those ous only
-      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-        "included_ous_only"
+      # case2 - if no include/exclude ous provided, include entire org
+      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+        "entire_org"
       ) : (
-        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
-        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-          "excluded_ous_only"
+        # case3 - if only included ouids provided, include those ous only
+        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+          "included_ous_only"
         ) : (
-          # case4 - if both include and exclude ouids are provided, includes override excludes
-          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-            "mixed_ous"
-          ) : ""
+          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
+          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+            "excluded_ous_only"
+          ) : (
+            # case5 - if both include and exclude ouids are provided, includes override excludes
+            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+              "mixed_ous"
+            ) : ""
+          )
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
+    old_ouid_param = {
+      org_units_to_deploy = var.org_units
+    }
     entire_org = {
        org_units_to_deploy = local.root_org_unit
     }
@@ -96,18 +134,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if only included accounts provided, include those accts as well
-    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-      "UNION"
+    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
+    local.check_old_ouid_param ? (
+      "NONE"
     ) : (
-      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-      var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
-        "DIFFERENCE"
+      # case2 - if only included accounts provided, include those accts as well
+      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+        "UNION"
       ) : (
-        # case3 - if both include and exclude accounts are provided, includes override excludes
-        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-          "MIXED"
-        ) : ""
+        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+        var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+          "DIFFERENCE"
+        ) : (
+          # case4 - if both include and exclude accounts are provided, includes override excludes
+          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+            "MIXED"
+          ) : ""
+        )
       )
     )
   )
@@ -117,6 +160,10 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
+    NONE = {
+      accounts_to_deploy = []
+      account_filter_type = "NONE"
+    }
     UNION = {
       accounts_to_deploy = var.include_accounts
       account_filter_type = "UNION"

modules/agentless-scanning/organizational.tf

@@ -189,8 +189,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
   stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
-    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
-    account_filter_type     = local.deployment_targets_accounts_filter
+    accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
+    account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100

modules/agentless-scanning/variables.tf

@@ -32,8 +32,9 @@ variable "is_organizational" {
 
 variable "org_units" {
   description = <<-EOF
-    DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
-    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization."
+    TO BE DEPRECATED: Please migrate to using `include_ouids` instead.
+    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
+    This field is ignored if `is_organizational = false`
     EOF
   type        = set(string)
   default     = []

modules/config-posture/locals.tf

@@ -7,11 +7,41 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
+  # check if both old and new org parameters are provided, we fail early
+  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
+  length(var.include_ouids) > 0 ||
+  length(var.exclude_ouids) > 0 ||
+  length(var.include_accounts) > 0 ||
+  length(var.exclude_accounts) > 0
+  )
+
+  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
+  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
+
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
+check "validate_org_configuration_params" {
+  assert {
+    condition     = length(var.org_units) == 0  # if this condition is false we throw warning
+    error_message = <<-EOT
+    WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
+    EOT
+  }
+
+  assert {
+    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    error_message = <<-EOT
+    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
+    ONLY org_units will be considered. Please use only one of the two methods.
+
+    Note: org_units is going to be DEPRECATED soon, please work with Sysdig to migrate your Terraform installs.
+    EOT
+  }
+}
+
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -37,29 +67,37 @@ locals {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if no include/exclude ous provided, include entire org
-    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-      "entire_org"
+    # case1 - if old method is used where ONLY org_units is provided, use those
+    local.check_old_ouid_param ? (
+      "old_ouid_param"
     ) : (
-      # case2 - if only included ouids provided, include those ous only
-      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-        "included_ous_only"
+      # case2 - if no include/exclude ous provided, include entire org
+      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+        "entire_org"
       ) : (
-        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
-        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-          "excluded_ous_only"
+        # case3 - if only included ouids provided, include those ous only
+        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+          "included_ous_only"
         ) : (
-          # case4 - if both include and exclude ouids are provided, includes override excludes
-          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-            "mixed_ous"
-          ) : ""
+          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
+          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+            "excluded_ous_only"
+          ) : (
+            # case5 - if both include and exclude ouids are provided, includes override excludes
+            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+              "mixed_ous"
+            ) : ""
+          )
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
+    old_ouid_param = {
+      org_units_to_deploy = var.org_units
+    }
     entire_org = {
        org_units_to_deploy = local.root_org_unit
     }
@@ -96,18 +134,23 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if only included accounts provided, include those accts as well
-    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-      "UNION"
+    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
+    local.check_old_ouid_param ? (
+      "NONE"
     ) : (
-      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-      var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
-        "DIFFERENCE"
+      # case2 - if only included accounts provided, include those accts as well
+      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+        "UNION"
       ) : (
-        # case3 - if both include and exclude accounts are provided, includes override excludes
-        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-          "MIXED"
-        ) : ""
+        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+        var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+          "DIFFERENCE"
+        ) : (
+          # case4 - if both include and exclude accounts are provided, includes override excludes
+          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+            "MIXED"
+          ) : ""
+        )
       )
     )
   )
@@ -117,6 +160,10 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
+    NONE = {
+      accounts_to_deploy = []
+      account_filter_type = "NONE"
+    }
     UNION = {
       accounts_to_deploy = var.include_accounts
       account_filter_type = "UNION"

modules/config-posture/organizational.tf

@@ -82,8 +82,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
   stack_set_name = aws_cloudformation_stack_set.stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
-    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
-    account_filter_type     = local.deployment_targets_accounts_filter
+    accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
+    account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100

modules/config-posture/variables.tf

@@ -10,8 +10,8 @@ variable "is_organizational" {
 
 variable "org_units" {
   description = <<-EOF
-    DEPRECATED: Defaults to `[]`, use `include_ouids` instead.
-    When set, org units to install cspm."
+    TO BE DEPRECATED: Please migrate to using `include_ouids` instead.
+    When set, org units to install cspm.
     EOF
   type        = set(string)
   default     = []

modules/integrations/event-bridge/README.md

@@ -21,15 +21,15 @@ If instrumenting an AWS Gov account/organization, IAM policies and event bridge
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.39 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.48 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.39 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.48 |
 
 ## Modules