fix(single-onboarding): add check on root_org_unit (#54)

* add check on root_org_unit

* remove redundant check

* fix: single account onboard

---------

Co-authored-by: Jose Pablo Camacho <jose.camacho@sysdig.com>

Author: matteopasa

modules/agentless-scanning/locals.tf

@@ -119,6 +119,9 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+
+  // check if root is part of the excluded_ouids
+  isRootExcluded = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +130,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.isRootExcluded ? var.exclude_ouids : []
   parent_id = each.key
 }
 

modules/config-posture/locals.tf

@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,10 +129,9 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
-
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (

modules/integrations/event-bridge/locals.tf

@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +129,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
 

modules/onboarding/locals.tf

@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +129,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
 

modules/vm-workload-scanning/locals.tf

@@ -133,6 +133,9 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+
+  // check if root is part of the excluded_ouids
+  isRootExcluded = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -141,7 +144,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.isRootExcluded ? var.exclude_ouids : []
   parent_id = each.key
 }