From 4143a8a56eeb945f07440078fcb13071923e8954 Mon Sep 17 00:00:00 2001
From: Marat Salakhutdinov <marat.salakhutdinov@sysdig.com>
Date: Thu, 13 Mar 2025 22:25:21 -0400
Subject: [PATCH 1/2] create stackset instance for each OU separately, so that
 we don't recreate everything during changes

---
 modules/agentless-scanning/organizational.tf        |  8 ++++----
 modules/config-posture/organizational.tf            |  4 ++--
 modules/integrations/event-bridge/organizational.tf | 12 ++++++------
 modules/onboarding/organizational.tf                |  4 ++--
 modules/vm-workload-scanning/organizational.tf      |  4 ++--
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/modules/agentless-scanning/organizational.tf b/modules/agentless-scanning/organizational.tf
index c02ea6b..cf5daca 100644
--- a/modules/agentless-scanning/organizational.tf
+++ b/modules/agentless-scanning/organizational.tf
@@ -191,12 +191,12 @@ TEMPLATE
 
 # stackset instance to deploy resources for agentless scanning, in all regions of each account in all organization units
 resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
-  for_each   = var.is_organizational ? local.region_set : toset([])
-  region     = each.key
-
+  for_each = var.is_organizational ? setproduct(local.region_set, local.organizational_unit_ids) : []
+  
+  region = each.value[0]
   stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.organizational_unit_ids
+    organizational_unit_ids = [each.value[1]]
   }
   operation_preferences {
     max_concurrent_percentage    = 100
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
index 01e74f0..f4d5c18 100644
--- a/modules/config-posture/organizational.tf
+++ b/modules/config-posture/organizational.tf
@@ -88,12 +88,12 @@ TEMPLATE
 }
 
 resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
-  count = var.is_organizational ? 1 : 0
+  for_each = var.is_organizational ? toset(local.org_units_to_deploy) : []
 
   region         = var.region == "" ? null : var.region
   stack_set_name = aws_cloudformation_stack_set.stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.org_units_to_deploy
+    organizational_unit_ids = [each.value]
   }
   operation_preferences {
     max_concurrent_percentage    = 100
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index 53230e4..8815906 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -103,12 +103,12 @@ TEMPLATE
 
 // stackset instance to deploy rule in all organization units
 resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
-  for_each = var.is_organizational ? local.region_set : toset([])
-  region   = each.key
-
+  for_each = var.is_organizational ? setproduct(local.region_set, local.organizational_unit_ids) : []
+  
+  region = each.value[0]
   stack_set_name = aws_cloudformation_stack_set.eb-rule-stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.organizational_unit_ids
+    organizational_unit_ids = [each.value[1]]
   }
   operation_preferences {
     max_concurrent_percentage    = 100
@@ -126,11 +126,11 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
 
 // stackset instance to deploy role in all organization units
 resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
-  count = var.is_organizational ? 1 : 0
+  for_each = var.is_organizational ? toset(local.organizational_unit_ids) : []
 
   stack_set_name = aws_cloudformation_stack_set.eb-role-stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.organizational_unit_ids
+    organizational_unit_ids = [each.value]
   }
   operation_preferences {
     max_concurrent_percentage    = 100
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 151e43f..97ec977 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -66,12 +66,12 @@ TEMPLATE
 }
 
 resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
-  count = var.is_organizational ? 1 : 0
+  for_each = var.is_organizational ? toset(local.org_units_to_deploy) : []
 
   region         = var.region == "" ? null : var.region
   stack_set_name = aws_cloudformation_stack_set.stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.org_units_to_deploy
+    organizational_unit_ids = [each.value]
   }
   operation_preferences {
     max_concurrent_percentage    = 100
diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf
index e90edf0..a0c5c49 100644
--- a/modules/vm-workload-scanning/organizational.tf
+++ b/modules/vm-workload-scanning/organizational.tf
@@ -128,11 +128,11 @@ resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
 
 # stackset instance to deploy agentless scanning role, in all organization units
 resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instance" {
-  count = var.is_organizational ? 1 : 0
+  for_each = var.is_organizational ? toset(local.organizational_unit_ids) : []
 
   stack_set_name = aws_cloudformation_stack_set.scanning_role_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.organizational_unit_ids
+    organizational_unit_ids = [each.value]
   }
   operation_preferences {
     max_concurrent_percentage    = 100

From fbefd3c854382ec795cde5bc2349505eca63ec16 Mon Sep 17 00:00:00 2001
From: Marat Salakhutdinov <marat.salakhutdinov@sysdig.com>
Date: Fri, 14 Mar 2025 18:39:28 -0400
Subject: [PATCH 2/2] fix agentless scanning and eb modules

---
 modules/agentless-scanning/organizational.tf        | 7 +++++--
 modules/integrations/event-bridge/organizational.tf | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/agentless-scanning/organizational.tf b/modules/agentless-scanning/organizational.tf
index cf5daca..f5c2cf9 100644
--- a/modules/agentless-scanning/organizational.tf
+++ b/modules/agentless-scanning/organizational.tf
@@ -191,8 +191,11 @@ TEMPLATE
 
 # stackset instance to deploy resources for agentless scanning, in all regions of each account in all organization units
 resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
-  for_each = var.is_organizational ? setproduct(local.region_set, local.organizational_unit_ids) : []
-  
+  for_each = var.is_organizational ? {
+    for pair in setproduct(local.region_set, local.organizational_unit_ids) :
+    "${pair[0]}-${pair[1]}" => pair
+  } : {}
+
   region = each.value[0]
   stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index 8815906..8ede7ee 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -103,8 +103,11 @@ TEMPLATE
 
 // stackset instance to deploy rule in all organization units
 resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
-  for_each = var.is_organizational ? setproduct(local.region_set, local.organizational_unit_ids) : []
-  
+  for_each = var.is_organizational ? {
+    for pair in setproduct(local.region_set, local.organizational_unit_ids) :
+    "${pair[0]}-${pair[1]}" => pair
+  } : {}
+
   region = each.value[0]
   stack_set_name = aws_cloudformation_stack_set.eb-rule-stackset[0].name
   deployment_targets {