Terraform module to provide Vertice Cloud Cost Optimization service with access to your AWS accounts
This module handles creating a role to be used by Vertice Cloud Cost Optimization service to access your AWS account and access required services and data within it.
If the account is your AWS Management account you should configure a Cost and Usage Reports (CUR) export, and then provide the cur_bucket_name variable to allow the role access to the CUR data within S3.
Configure access for your AWS Management Account with Cost and Usage Reports (CUR) export configured
This is an example of creating a role in your AWS Organizations management account (root/payer) where you host your CUR reports in a S3 bucket which will be accessed by the Vertice cross-account IAM role.
Configuring this module to create CUR S3 bucket and CUR report in your AWS Organizations management (root/payer) account is highly recommended.
For the governance IAM role to be created in your account, an ExternalId needs to be set in the governance_role_external_id parameter. You will receive this value from Vertice.
Please note that an aws.us-east-1 provider alias needs to be defined, since Cost and Usage Reports are only supported by AWS in that region.
data "aws_caller_identity" "current" {}
module "vertice_cco_integration_role" {
source = "git::https://github.com/VerticeOne/terraform-aws-vertice-integration.git?ref=<release-version>"
account_type = "billing"
cur_bucket_enabled = true
cur_report_enabled = true
billing_policy_addons = {
# allow managing EC2 Reserved Instances in billing policy
ec2_ri = true
}
cur_bucket_name = "vertice-cur-reports-athena-${data.aws_caller_identity.current.account_id}"
cur_report_name = "athena"
cur_report_s3_prefix = "cur"
governance_role_external_id = "<provided ExternalId value>"
providers = {
aws = aws
aws.us-east-1 = aws.us-east-1
}
}
provider "aws" {
region = "us-west-2" # Replace with desired region for the CUR S3 bucket
}
# Cost and Usage Report only exists in us-east-1
provider "aws" {
alias = "us-east-1"
region = "us-east-1"
}
terraform {
required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.64.0"
# A provider alias for us-east-1 region is needed because CUR is available only there.
configuration_aliases = [
aws,
aws.us-east-1
]
}
}
}| Name | Version |
|---|---|
| terraform | >= 1.1.4 |
| aws | >= 4.64.0 |
No providers.
| Name | Description | Type | Required |
|---|---|---|---|
| account_type | The type of the AWS account. The possible values are billing, member and combined.Use billing if the target account is only for billing purposes (generating CUR report and exporting it to Vertice via S3 bucket).Use member if the account contains active workload and you want to allow VerticeGovernance role to perform spend optimization actions in the account on your behalf.Use combined for both of the above. |
string |
yes |
| billing_policy_addons | Enable optional add-ons for the billing/combined account IAM policy. |
object({ |
no |
| cur_bucket_enabled | Whether to enable the module that creates S3 bucket for Cost Usage Report data. | bool |
no |
| cur_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
no |
| cur_bucket_lifecycle_rules | List of maps containing configuration of object lifecycle management on the S3 bucket holding CUR data. | any |
no |
| cur_bucket_name | The name of the bucket which will be used to store the CUR data for Vertice. | string |
no |
| cur_bucket_versioning | Map containing versioning configuration on the S3 bucket holding CUR data. | map(string) |
no |
| cur_report_enabled | Whether to enable the module that creates S3 bucket for Cost Usage Report data. | bool |
no |
| cur_report_name | The name of the CUR report for Vertice. | string |
no |
| cur_report_s3_prefix | The prefix for the S3 bucket path to where the CUR data will be saved. | string |
no |
| governance_role_additional_policy_json | Custom additional policy in JSON format to attach to VerticeGovernance role. Default is null for no additional policy. | string |
no |
| governance_role_enabled | Whether to enable the module that creates VerticeGovernance role for the Cloud Cost Optimization. | bool |
no |
| governance_role_external_id | STS external ID value to require for assuming the governance role. Required if the governance IAM role is to be created. You will receive this from Vertice. | string |
no |
| vertice_account_ids | List of Account IDs, which are allowed to access the Vertice cross account role. | list(string) |
no |
| Name | Description |
|---|---|
| cur_report_name | Name of the CUR report created. |
| cur_report_s3_prefix | Name of the S3 prefix used by the CUR report. |
| vertice_account_ids | Account IDs of Vertice allowed to access your AWS resources. |
| vertice_governance_role_arn | The ARN of VerticeGovernance role created. |
| vertice_governance_role_name | The name of VerticeGovernance role created. |