Migration Guide

This guide helps you migrate AWS organization onboarding to Include/Exclude parameters

Sysdig has deprecated the legacy organizational_unit_ids and org_units parameters used in earlier AWS Organization onboarding configurations. If you onboarded AWS before November 2025, your Terraform or CloudFormation templates may still include these fields.

To maintain compatibility and receive future updates, migrate your configuration to the supported parameters:

  • include_ouids
  • exclude_ouids
  • include_accounts
  • exclude_accounts

This migration updates your configuration only. Your existing onboarding behavior remains the same unless you choose to adjust which OUs or accounts are included.

Before You Begin

Review your current onboarding method:

  • Terraform
  • CloudFormation (CFT)

Choose the instructions that match your environment and whether you want to keep the same Organization structure or modify it.

Terraform Migration

Scenario A: Keep the Same AWS Organization Structure

Use this section if you want to migrate to the new include/exclude parameters without changing which OUs or accounts Sysdig monitors.

Foundational/CSPM Only

  1. Map existing values. Copy values from organizational_unit_ids into include_ouids.

If organizational_unit_ids is empty, keep include_ouids empty.

  1. Update the onboarding module.

    Replace this line

    organizational_unit_ids = ["ou-xxxx-xxxxxxxx", "ou-xxxx-xxxx"]

    with

    include_ouids     = ["ou-xxxx-xxxxxxxx", "ou-xxxx-xxxx"]
exclude_ouids     = []
include_accounts  = []
exclude_accounts  = []

  2. Update the config posture module.

    Replace this line

    org_units = ["ou-xxxx-xxxxxxxx", "ou-xxxx-xxxx"]

    with

    include_ouids    = module.onboarding.include_ouids
exclude_ouids    = module.onboarding.exclude_ouids
include_accounts = module.onboarding.include_accounts
exclude_accounts = module.onboarding.exclude_accounts

  3. Apply the changes.

    Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + CDR

  1. Complete the above steps for Foundational/CSPM Only, then update the log-ingestion module. Replace this line

    org_units = module.onboarding.organizational_unit_ids

    with

    include_ouids     = module.onboarding.include_ouids
exclude_ouids     = module.onboarding.exclude_ouids
include_accounts  = module.onboarding.include_accounts
exclude_accounts  = module.onboarding.exclude_accounts

  2. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + Host Scanning

  1. Replace the following in the host-scanning snippet:

    org_units = module.onboarding.organizational_unit_ids

    with

    include_ouids     = module.onboarding.include_ouids
exclude_ouids     = module.onboarding.exclude_ouids
include_accounts  = module.onboarding.include_accounts
exclude_accounts  = module.onboarding.exclude_accounts

  2. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Foundational/CSPM + Workload Scanning

  1. Replace the following in the workload-scanning snippet:

    org_units = module.onboarding.organizational_unit_ids

    with

    include_ouids     = module.onboarding.include_ouids
exclude_ouids     = module.onboarding.exclude_ouids
include_accounts  = module.onboarding.include_accounts
exclude_accounts  = module.onboarding.exclude_accounts

  2. Apply the changes. Run the following commands:

    terraform init --upgrade
terraform apply

Scenario B: Change the AWS Organization Structure During Migration

Follow these instructions if you want to adjust which OUs or accounts Sysdig monitors.

  1. Create a new working folder.
  2. Copy your existing terraform.tfstate file into the folder.
  3. Copy the latest foundational.tf file into the folder.
  4. Update the include_* / exclude_* values to match your desired structure.
  5. Remove deprecated fields. Delete all references to the old parameters from your configuration:
    • organizational_unit_ids
    • org_units These fields are no longer supported and will cause Terraform to fail if left in place.
  6. Apply the update: Run the following commands:
    terraform init --upgrade
terraform apply

Example Configurations

Onboard the Entire Organization

include_ouids = ["r-op65"]
exclude_ouids = []
include_accounts = []
exclude_accounts = []

Onboard Specific OUs

include_ouids = ["ou-op65-p8bpskxa"]

Exclude Specific OUs

exclude_ouids = ["ou-op65-example"]

Exclude Individual Accounts

exclude_accounts = ["562567805211"]

Include OUs But Exclude Some Accounts Inside Them

include_ouids    = ["ou-op65-teamA"]
exclude_accounts = ["123456789012"]

CloudFormation (CFT) Migration

To migrate CloudFormation-based onboarding, update your Organization settings using the includedOrganizationalGroups field.

Example PUT request

{
  "managementAccountId": "2786e484-888d-44bd-ad55-67a3bd0e2506",
  "includedOrganizationalGroups": [
    "ou-op65-0glv51jv",
    "ou-op65-p8bpskxa"
  ],
  "organizationRootId": "r-op65"
}

Expected Behavior After Migration

New AWS Accounts

If AWS accounts were created before the migration, Sysdig automatically detects and adds them.

Deleted AWS Accounts

If accounts were deleted in AWS before the migration:

  • They may continue to appear in CloudAuth.
  • CloudAuth may show a validation error for each deleted account (if automatic onboarding is disabled).
  • terraform destroy may require manually removing CloudFormation StackSet instances in AWS.

After You Migrate

  • All future changes should use include_ouids, exclude_ouids, include_accounts, and exclude_accounts.
  • Remove all references to deprecated parameters:
    • organizational_unit_ids
    • org_units

Using the updated parameters ensures compatibility with upcoming enhancements and future onboarding updates.