Cleanup partial support for delegated_admin (#14)

Fix summary:
-------------
Fixing the partial support for delegated_admin in all modules,
since this support does not fully onboard an org via delegated
admin account today.

Note: the full, complete and well tested support for delegated
admin will be added later separately.

modules/agentless-scanning/README.md

@@ -6,7 +6,7 @@ The following resources will be created in each instrumented account through Clo
 - An `IAM Role` and associated `policies` that allows Sysdig to perform tasks necessary for agentless scanning.
 - A `KMS key` used to transcript volume snapshots in the each region. `Alias` for this key in each region.
 
-When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization. If a delegated admin account is used, only SERVICE_MANAGED stacksets will be created in the delegated admin account, responsible for creating the above resources in each account in the organization.
+When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization.
 
 This module will also deploy a Trusted Role Component and a Crypto Key Component in Sysdig Backend for onboarded Sysdig Cloud Account.
 
@@ -74,7 +74,6 @@ No modules.
 | <a name="auto_create_stackset_roles"></a> [auto\_create\_stackset\_roles](#input\_auto\_create\_stackset\_roles) | Whether to auto create the custom stackset roles to run SELF_MANAGED stackset | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
-| <a name="delegated_admin"></a> [delegated_admin](#input\_delegated\_admin) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
 
 ## Outputs

modules/agentless-scanning/main.tf

@@ -7,13 +7,10 @@
 # For Organizational installs, see organizational.tf.
 #
 # For single installs, the resources in this file are used to instrument the singleton account, whether it is a management account or a
-# member account. (delegated admin account is a noop here for single installs)
+# member account.
 #
 # For organizational installs, resources in this file get created for management account only. (because service-managed stacksets do not
 # include the management account they are created in, even if this account is within the target Organization).
-# If a delegated admin account is used instead (determined via delegated_admin flag), resources will skip creation. This is because we
-# don't want to create these stacksets if user provides a delegated admin account instead of management account. (because service-managed
-# stacksets include the delegated admin account already)
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 #-----------------------------------------------------------------------------------------
@@ -69,8 +66,7 @@ resource "random_id" "suffix" {
 
 # IAM Policy Document used by Stackset roles for the KMS operations policy
 data "aws_iam_policy_document" "kms_operations" {
-  # skip in org case if delegated_admin is used
-  count = (var.is_organizational && var.delegated_admin) || !var.auto_create_stackset_roles ? 0 : 1
+  count = !var.auto_create_stackset_roles ? 0 : 1
 
   statement {
     sid = "KmsOperationsAccess"
@@ -85,8 +81,7 @@ data "aws_iam_policy_document" "kms_operations" {
 }
 
 resource "aws_iam_role" "scanning_stackset_admin_role" {
-  # skip resource creation in org case if delegated_admin is used
-  count = (var.is_organizational && var.delegated_admin) || !var.auto_create_stackset_roles ? 0 : 1
+  count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
   tags = var.tags
@@ -121,8 +116,7 @@ EOF
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "scanning_stackset_execution_role" {
-  # skip resource creation in org case if delegated_admin is used
-  count = (var.is_organizational && var.delegated_admin) || !var.auto_create_stackset_roles ? 0 : 1
+  count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetExecutionRoleForScanning"
   tags = var.tags
@@ -157,9 +151,6 @@ EOF
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 data "aws_iam_policy_document" "scanning" {
-  # skip in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   # General read permission, necessary for the discovery phase.
   statement {
     sid = "Read"
@@ -322,12 +313,9 @@ data "aws_iam_policy_document" "scanning" {
 }
 
 resource "aws_iam_policy" "scanning_policy" {
-  # skip resource creation in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   name        = local.scanning_resource_name
   description = "Grants Sysdig Secure access to volumes and snapshots"
-  policy      = data.aws_iam_policy_document.scanning[0].json
+  policy      = data.aws_iam_policy_document.scanning.json
   tags        = var.tags
 }
 
@@ -336,9 +324,6 @@ resource "aws_iam_policy" "scanning_policy" {
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 data "aws_iam_policy_document" "scanning_assume_role_policy" {
-  # skip resource creation in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   statement {
     sid = "SysdigSecureScanning"
 
@@ -367,21 +352,15 @@ data "aws_iam_policy_document" "scanning_assume_role_policy" {
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "scanning_role" {
-  # skip resource creation in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   name               = local.scanning_resource_name
   tags               = var.tags
-  assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json
+  assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy.json
 }
 
 resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
-  # skip resource creation in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   name       = local.scanning_resource_name
-  roles      = [aws_iam_role.scanning_role[0].name]
-  policy_arn = aws_iam_policy.scanning_policy[0].arn
+  roles      = [aws_iam_role.scanning_role.name]
+  policy_arn = aws_iam_policy.scanning_policy.arn
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -393,9 +372,6 @@ resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_cloudformation_stack_set" "primary_acc_stackset" {
-  # skip self managed stacksets in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   name                    = join("-", [local.scanning_resource_name, "ScanningKmsPrimaryAcc"])
   tags                    = var.tags
   permission_model        = "SELF_MANAGED"
@@ -458,11 +434,10 @@ TEMPLATE
 
 # stackset instance to deploy resources for agentless scanning, in all regions of given account
 resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance" {
-  # skip self managed stackset instances in org case if delegated_admin is used
-  for_each = var.is_organizational && var.delegated_admin ? toset([]) : local.region_set
+  for_each = local.region_set
   region   = each.key
 
-  stack_set_name = aws_cloudformation_stack_set.primary_acc_stackset[0].name
+  stack_set_name = aws_cloudformation_stack_set.primary_acc_stackset.name
   operation_preferences {
     max_concurrent_percentage    = 100
     failure_tolerance_percentage = var.failure_tolerance_percentage

modules/agentless-scanning/organizational.tf

@@ -5,9 +5,6 @@
 # Non-global / Regional resources:
 # - a KMS Primary key is created, in each region of region list,
 # - an Alias by the same name for the respective key, in each region of region list.
-#
-# If a delegated admin account is used (determined via delegated_admin flag), service-managed stacksets will be created
-# acting as delegated_admin to deploy resources in all acocunts within AWS Organization.
 #-----------------------------------------------------------------------------------------------------------------------
 
 data "aws_organizations_organization" "org" {
@@ -44,8 +41,6 @@ resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   template_body = <<TEMPLATE
 Resources:
   AgentlessScanningRole:
@@ -143,8 +138,6 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
     # Roles are not regional and hence do not need regional parallelism
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   timeouts {
     create = var.timeout
     update = var.timeout
@@ -180,8 +173,6 @@ resource "aws_cloudformation_stack_set" "ou_resources_stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   template_body = <<TEMPLATE
 Resources:
   AgentlessScanningKmsPrimaryKey:
@@ -239,8 +230,6 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
     region_concurrency_type      = "PARALLEL"
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   timeouts {
     create = var.timeout
     update = var.timeout

modules/agentless-scanning/variables.tf

@@ -78,12 +78,6 @@ variable "failure_tolerance_percentage" {
   default     = 90
 }
 
-variable "delegated_admin" {
-  description = "Whether a delegated admin account will be used"
-  type        = bool
-  default     = false
-}
-
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)"

modules/config-posture/README.md

@@ -51,7 +51,6 @@ No modules.
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
-| <a name="delegated_admin"></a> [delegated_admin](#input\_delegated\_admin) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 
 ## Outputs
 

modules/config-posture/main.tf

@@ -18,7 +18,6 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
 # Since this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
 resource "aws_iam_role" "cspm_role" {
-  count               = var.delegated_admin ? 0 : 1
   name                = local.config_posture_role_name
   tags                = var.tags
   assume_role_policy  = <<EOF

modules/config-posture/organizational.tf

@@ -35,8 +35,6 @@ resource "aws_cloudformation_stack_set" "stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   template_body = <<TEMPLATE
 Resources:
   SysdigCSPMRole:
@@ -104,8 +102,6 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
     # Roles are not regional and hence do not need regional parallelism
   }
 
-  call_as = var.delegated_admin ? "DELEGATED_ADMIN" : "SELF"
-
   timeouts {
     create = var.timeout
     update = var.timeout

modules/config-posture/variables.tf

@@ -41,13 +41,6 @@ variable "failure_tolerance_percentage" {
   default     = 90
 }
 
-
-variable "delegated_admin" {
-  description = "Whether a delegated admin account will be used"
-  type        = bool
-  default     = false
-}
-
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)"

modules/integrations/event-bridge/README.md

@@ -7,8 +7,7 @@ The following resources will be created in each instrumented account through Clo
 - An `EventBridge Target` that sends these events to an EventBridge Bus is Sysdig's AWS Account
 - An `IAM Role` and associated policies that gives the EventBridge Bus in the source account permission to call PutEvent on the EventBridge Bus in Sysdig's Account.
 
-When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization. If a delegated admin account is used, only
-SERVICE_MANAGED stacksets will be created in the delegated admin account, responsible for creating the above resources in each account in the organization.
+When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization.
 
 This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account.
 
@@ -72,7 +71,6 @@ No modules.
 | <a name="auto_create_stackset_roles"></a> [auto\_create\_stackset\_roles](#input\_auto\_create\_stackset\_roles) | Whether to auto create the custom stackset roles to run SELF_MANAGED stackset | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
-| <a name="delegated_admin"></a> [delegated_admin](#input\_delegated\_admin) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
 
 ## Outputs

modules/integrations/event-bridge/main.tf

@@ -3,13 +3,10 @@
 # For Organizational installs, see organizational.tf.
 #
 # For single installs, the resources in this file are used to instrument the singleton account, whether it is a management account or a
-# member account. (delegated admin account is a noop here for single installs)
+# member account.
 #
 # For organizational installs, resources in this file get created for management account only. (because service-managed stacksets do not
 # include the management account they are created in, even if this account is within the target Organization).
-# If a delegated admin account is used instead (determined via delegated_admin flag), resources will skip creation. This is because we
-# don't want to create these stacksets if user provides a delegated admin account instead of management account. (because service-managed
-# stacksets include the delegated admin account already)
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 #-----------------------------------------------------------------------------------------
@@ -57,8 +54,7 @@ resource "random_id" "suffix" {
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "event_bus_stackset_admin_role" {
-  # skip resource creation in org case if delegated_admin is used
-  count = (var.is_organizational && var.delegated_admin) || !var.auto_create_stackset_roles ? 0 : 1
+  count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetAdministrationRoleForEB"
   tags = var.tags
@@ -89,8 +85,7 @@ EOF
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "event_bus_stackset_execution_role" {
-  # skip resource creation in org case if delegated_admin is used
-  count = (var.is_organizational && var.delegated_admin) || !var.auto_create_stackset_roles ? 0 : 1
+  count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetExecutionRoleForEB"
   tags = var.tags
@@ -125,9 +120,6 @@ EOF
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
-  # skip resource creation in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   name = local.eb_resource_name
   tags = var.tags
 
@@ -208,9 +200,6 @@ data "aws_iam_policy_document" "cloud_trail_events" {
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
-  # skip self managed stacksets in org case if delegated_admin is used
-  count = var.is_organizational && var.delegated_admin ? 0 : 1
-
   # for single installs, primary account is the singleton account provided. for org installs, it is the mgmt account
   name                    = join("-", [local.eb_resource_name, "EBRulePrimaryAcc"])
   tags                    = var.tags
@@ -243,10 +232,9 @@ resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
 
 // stackset instance to deploy rule in all regions of given account
 resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance" {
-  # skip self managed stackset instances in org case if delegated_admin is used
-  for_each       = var.is_organizational && var.delegated_admin ? toset([]) : local.region_set
+  for_each       = local.region_set
   region         = each.key
-  stack_set_name = aws_cloudformation_stack_set.primary-acc-stackset[0].name
+  stack_set_name = aws_cloudformation_stack_set.primary-acc-stackset.name
 
   operation_preferences {
     max_concurrent_percentage    = 100