This repository provides automation for granting Stacklet access to pre-existing billing data exports in BigQuery, via Workload Identity Federation.
This module allows a single Stacklet-controlled AWS IAM role to execute BigQuery jobs against any number of billing data exports in GCP. Suitable configuration variables will be supplied by Stacklet, and the resulting outputs must be communicated back to Stacklet.
It must be deployed by an identity with sufficient privileges to:
- grant
roles/bigquery.dataVieweron each configured billing export table - (if
create_projectis set) create a project and associate a billing account id
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| ~> 6.23 | |
| time | ~> 0.12 |
| Name | Version |
|---|---|
| ~> 6.23 | |
| time | ~> 0.12 |
No modules.
| Name | Type |
|---|---|
| google_bigquery_table_iam_member.sa_bq_tables | resource |
| google_iam_workload_identity_pool.stacklet_access | resource |
| google_iam_workload_identity_pool_provider.stacklet_account | resource |
| google_project.billing_export | resource |
| google_project_iam_member.sa_bq_jobs | resource |
| google_project_service.bigquery | resource |
| google_project_service.iamcredentials | resource |
| google_service_account.billing_access | resource |
| google_service_account_iam_policy.billing_access | resource |
| time_sleep.stacklet_access_creation_delay | resource |
| google_bigquery_dataset.table_datasets | data source |
| google_iam_policy.stacklet_role_access | data source |
| google_project.existing | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_tables | Billing export tables in '<project_id>.<dataset_id>.<table_id>' format. | list(string) |
n/a | yes |
| create_project | To create resources in a pre-existing project, set this to false. The pre-existing project must have the 'iamcredentials' and 'bigquery' services enabled. |
bool |
true |
no |
| project_billing_account_id | Billing account responsible for any costs incurred. | string |
null |
no |
| project_folder_id | Where to create the project (optional, exclusive of project_org_id). | string |
null |
no |
| project_id | ID of project to hold all resources. | string |
n/a | yes |
| project_org_id | Where to create the project (optional, exclusive of project_folder_id). | string |
null |
no |
| resource_labels | Labels to apply to the project and applicable resources. | map(string) |
{} |
no |
| resource_prefix | If set, prepended to all non-project resource identifiers. | string |
"" |
no |
| roundtrip_digest | Token used by the Stacklet Platform to detect mismatch between customerConfig and accessConfig. | string |
null |
no |
| stacklet_aws_account_id | AWS account which will use WIF to query billing data (chosen by Stacklet). | string |
n/a | yes |
| stacklet_aws_role_name | AWS IAM role which will use WIF to query billing data (chosen by Stacklet). | string |
n/a | yes |
| Name | Description |
|---|---|
| access_blob | All other outputs crammed into a single copy/pasteable value. |
| project_id | The project the created resources exist in. |
| table_locations | The data location for every table made accessible. |
| wif_audience | The audience value required for impersonation interactions. |
| wif_impersonation_url | The URL used for impersonation interactions. |