sysdiglabs
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/agentless-scanning/README.md‎
Lines changed: 0 additions & 1 deletion b/‎modules/agentless-scanning/README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎modules/agentless-scanning/locals.tf‎
Lines changed: 23 additions & 70 deletions b/‎modules/agentless-scanning/locals.tf‎
Lines changed: 23 additions & 70 deletions
diff --git a/‎modules/agentless-scanning/organizational.tf‎
Lines changed: 2 additions & 2 deletions b/‎modules/agentless-scanning/organizational.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/agentless-scanning/variables.tf‎
Lines changed: 0 additions & 10 deletions b/‎modules/agentless-scanning/variables.tf‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎modules/config-posture/README.md‎
Lines changed: 0 additions & 1 deletion b/‎modules/config-posture/README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎modules/config-posture/locals.tf‎
Lines changed: 23 additions & 70 deletions b/‎modules/config-posture/locals.tf‎
Lines changed: 23 additions & 70 deletions
@@ -73,7 +73,7 @@ There are four new parameters to configure organizational deployments on the clo
 3. `include_accounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
 4. `exclude_accounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
 
-**WARNING**: module variable `organizational_unit_ids` / `org_units` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
+**DEPRECATION NOTICE**: module variables `organizational_unit_ids` / `org_units` have been DEPRECATED and are no longer supported. Please work with Sysdig to migrate your Terraform installs to use `include_ouids` instead to achieve the same deployment outcome.
 
 ### Stackset Instances Installation
 
 
@@ -62,7 +62,6 @@ No modules.
 | <a name="input_kms_key_deletion_window"></a> [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Deletion window for shared KMS key | `number` | `7` | no |
 | <a name="input_mgt_stackset"></a> [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-secure-scanning"` | no |
-| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.<br>(Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
 | <a name="input_regions"></a> [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
 | <a name="input_scanning_account_id"></a> [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | `"878070807337"` | no |
 | <a name="input_stackset_admin_role_arn"></a> [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
 
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
-  # check if both old and new org parameters are provided, we fail early
-  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
-    length(var.include_ouids) > 0 ||
-    length(var.exclude_ouids) > 0 ||
-    length(var.include_accounts) > 0 ||
-    length(var.exclude_accounts) > 0
-  )
-
-  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
-  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
-check "validate_org_configuration_params" {
-  assert {
-    condition     = length(var.org_units) == 0 # if this condition is false we throw warning
-    error_message = <<-EOT
-    WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
-    EOT
-  }
-
-  assert {
-    condition     = !local.both_org_configuration_params # if this condition is false we throw error
-    error_message = <<-EOT
-    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
-    ONLY org_units will be considered. Please use only one of the two methods.
-
-    Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
-    EOT
-  }
-}
-
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -67,37 +37,29 @@ check "validate_org_configuration_params" {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if old method is used where ONLY org_units is provided, use those
-    local.check_old_ouid_param ? (
-      "old_ouid_param"
+    # case1 - if no include/exclude ous provided, include entire org
+    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+      "entire_org"
       ) : (
-      # case2 - if no include/exclude ous provided, include entire org
-      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-        "entire_org"
+      # case2 - if only included ouids provided, include those ous only
+      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+        "included_ous_only"
         ) : (
-        # case3 - if only included ouids provided, include those ous only
-        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-          "included_ous_only"
+        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+          "excluded_ous_only"
           ) : (
-          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
-          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-            "excluded_ous_only"
-            ) : (
-            # case5 - if both include and exclude ouids are provided, includes override excludes
-            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-              "mixed_ous"
-            ) : ""
-          )
+          # case4 - if both include and exclude ouids are provided, includes override excludes
+          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+            "mixed_ous"
+          ) : ""
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
-    old_ouid_param = {
-      org_units_to_deploy = var.org_units
-    }
     entire_org = {
       org_units_to_deploy = local.root_org_unit
     }
@@ -137,23 +99,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
-    local.check_old_ouid_param ? (
-      "NONE"
+    # case1 - if only included accounts provided, include those accts as well
+    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+      "UNION"
       ) : (
-      # case2 - if only included accounts provided, include those accts as well
-      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-        "UNION"
+      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+      var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+        "DIFFERENCE"
         ) : (
-        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-        var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
-          "DIFFERENCE"
-          ) : (
-          # case4 - if both include and exclude accounts are provided, includes override excludes
-          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-            "MIXED"
-          ) : ""
-        )
+        # case3 - if both include and exclude accounts are provided, includes override excludes
+        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+          "MIXED"
+        ) : ""
       )
     )
   )
@@ -163,10 +120,6 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
-    NONE = {
-      accounts_to_deploy  = []
-      account_filter_type = "NONE"
-    }
     UNION = {
       accounts_to_deploy  = var.include_accounts
       account_filter_type = "UNION"
 
@@ -192,8 +192,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
   stack_set_name            = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
     organizational_unit_ids = [each.value[1]]
-    accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
-    account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
+    accounts                = local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy
+    account_filter_type     = local.deployment_targets_accounts_filter
   }
   operation_preferences {
     max_concurrent_percentage    = 100
 
@@ -30,16 +30,6 @@ variable "is_organizational" {
   default     = false
 }
 
-variable "org_units" {
-  description = <<-EOF
-    TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.
-    When set, list of Organization Unit IDs to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization.
-    This field is ignored if `is_organizational = false`
-    EOF
-  type        = set(string)
-  default     = []
-}
-
 variable "regions" {
   description = "(Optional) List of regions in which to install Agentless Scanning"
   type        = set(string)
 
@@ -52,7 +52,6 @@ No modules.
 |----------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
 | <a name="input_failure_tolerance_percentage"></a> [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region              | `number`      | `90`                                                        |    no    |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                                    | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool`        | `false`                                                     |    no    |
-| <a name="input_org_units"></a> [org\_units](#input\_org\_units)                                                            | TO BE DEPRECATED on 30th November, 2025: Please work with Sysdig to migrate to using `include_ouids` instead.<br>Org unit id to install cspm                                                                                                                           | `set(string)` | `[]`                                                        |    no    |
 | <a name="input_region"></a> [region](#input\_region)                                                                       | Default region for resource creation in organization mode                                                                                             | `string`      | `""`                                                        |    no    |
 | <a name="input_tags"></a> [tags](#input\_tags)                                                                             | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                                              | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
 | <a name="input_timeout"></a> [timeout](#input\_timeout)                                                                    | Default timeout values for create, update, and delete operations                                                                                      | `string`      | `"30m"`                                                     |    no    |
 
@@ -7,41 +7,11 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
-  # check if both old and new org parameters are provided, we fail early
-  both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
-    length(var.include_ouids) > 0 ||
-    length(var.exclude_ouids) > 0 ||
-    length(var.include_accounts) > 0 ||
-    length(var.exclude_accounts) > 0
-  )
-
-  # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
-  check_old_ouid_param = var.is_organizational && length(var.org_units) > 0
-
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
   root_org_unit = var.is_organizational ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : []
 }
 
-check "validate_org_configuration_params" {
-  assert {
-    condition     = length(var.org_units) == 0 # if this condition is false we throw warning
-    error_message = <<-EOT
-    WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
-    EOT
-  }
-
-  assert {
-    condition     = !local.both_org_configuration_params # if this condition is false we throw error
-    error_message = <<-EOT
-    ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
-    ONLY org_units will be considered. Please use only one of the two methods.
-
-    Note: org_units is going to be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs.
-    EOT
-  }
-}
-
 # *****************************************************************************************************************************************************
 # INCLUDE/EXCLUDE CONFIGURATION SUPPORT
 #
@@ -67,37 +37,29 @@ check "validate_org_configuration_params" {
 locals {
   # OU CONFIGURATION (determine user provided org configuration)
   org_configuration = (
-    # case1 - if old method is used where ONLY org_units is provided, use those
-    local.check_old_ouid_param ? (
-      "old_ouid_param"
+    # case1 - if no include/exclude ous provided, include entire org
+    var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
+      "entire_org"
       ) : (
-      # case2 - if no include/exclude ous provided, include entire org
-      var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
-        "entire_org"
+      # case2 - if only included ouids provided, include those ous only
+      var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
+        "included_ous_only"
         ) : (
-        # case3 - if only included ouids provided, include those ous only
-        var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
-          "included_ous_only"
+        # case3 - if only excluded ouids provided, exclude their accounts from rest of org
+        var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
+          "excluded_ous_only"
           ) : (
-          # case4 - if only excluded ouids provided, exclude their accounts from rest of org
-          var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
-            "excluded_ous_only"
-            ) : (
-            # case5 - if both include and exclude ouids are provided, includes override excludes
-            var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
-              "mixed_ous"
-            ) : ""
-          )
+          # case4 - if both include and exclude ouids are provided, includes override excludes
+          var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
+            "mixed_ous"
+          ) : ""
         )
       )
     )
   )
 
   # switch cases for various user provided org configuration to be onboarded
   deployment_options = {
-    old_ouid_param = {
-      org_units_to_deploy = var.org_units
-    }
     entire_org = {
       org_units_to_deploy = local.root_org_unit
     }
@@ -135,23 +97,18 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
-    # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
-    local.check_old_ouid_param ? (
-      "NONE"
+    # case1 - if only included accounts provided, include those accts as well
+    var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
+      "UNION"
       ) : (
-      # case2 - if only included accounts provided, include those accts as well
-      var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
-        "UNION"
+      # case2 - if only excluded accounts or only excluded ouids provided, exclude those accounts
+      var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
+        "DIFFERENCE"
         ) : (
-        # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-        var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
-          "DIFFERENCE"
-          ) : (
-          # case4 - if both include and exclude accounts are provided, includes override excludes
-          var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
-            "MIXED"
-          ) : ""
-        )
+        # case3 - if both include and exclude accounts are provided, includes override excludes
+        var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
+          "MIXED"
+        ) : ""
       )
     )
   )
@@ -161,10 +118,6 @@ locals {
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
-    NONE = {
-      accounts_to_deploy  = []
-      account_filter_type = "NONE"
-    }
     UNION = {
       accounts_to_deploy  = var.include_accounts
       account_filter_type = "UNION"