Terraform module to provide Vertice Cloud Cost Optimization service with access to your AWS accounts
This module handles creating a role to be used by Vertice Cloud Cost Optimization service to access your AWS account and access required services and data within it.
If the account is your AWS Management account you should configure a Cost and Usage Reports (CUR) export, and then provide the cur_bucket_name variable to allow the role access to the CUR data within S3.
You can now configure a Cost Optimization Recommendations Report (COR) export, use existing bucket for Cost and Usage Reports (CUR) cur_bucket_name and provide cor_report_s3_prefix variable.
Important
Before enabling an AWS Data Export report (COR format) through this template:
- Enable Cost Optimization Hub in Billing and Cost Management in your Billing AWS Account:
- Create the AWSServiceRoleForBCMDataExports service-linked role
- In the AWS Console, go to the Billing and Cost Management page
- On this page navigate to Data Exports -> Click Create -> Select Standard data export and Cost optimization recommendations
- Now you should see a warning table with the following title: Exports of Cost Optimization Recommendations requires a Service Linked Role (SLR)
- If you don't see the warning, you have already created the AWSServiceRoleForBCMDataExports service-linked role.
- In this warning table, click the Create service-linked role button, and it will create the necessary role for you.
- You can leave the page now, without finishing the creation of the Data export, or you can continue with the settings below
Configure access for your AWS Management Account with Cost and Usage Reports (CUR) and Cost Optimization Recommendations (COR) export configured
This is an example of creating a role in your AWS Organizations management account (root/payer) where you host your CUR reports in a S3 bucket which will be accessed by the Vertice cross-account IAM role.
Configuring this module to create CUR S3 bucket and CUR report in your AWS Organizations management (root/payer) account is highly recommended. If you want to use the Cost Optimization Recommendations (AWS Data Exports) report, please configure this module to create the export in your AWS Organizations management (root/payer) account using the data_export_enabled variable.
For the governance IAM role to be created in your account, an ExternalId needs to be set in the governance_role_external_id parameter. You will receive this value from Vertice.
Please note that an aws.us-east-1 provider alias needs to be defined, since Cost and Usage Reports are only supported by AWS in that region.
data "aws_caller_identity" "current" {}
module "vertice_cco_integration_role" {
source = "git::https://github.com/VerticeOne/terraform-aws-vertice-integration.git?ref=<release-version>"
account_type = "combined"
cur_bucket_enabled = true
cur_report_enabled = true
billing_policy_addons = {
# allow managing EC2 Reserved Instances in billing policy
ec2_ri = true
}
cur_bucket_name = "vertice-cur-reports-athena-${data.aws_caller_identity.current.account_id}"
cur_report_name = "athena"
cur_report_s3_prefix = "cur"
# If you want to enable Cost Optimization Recommendations report, you need to add lines below
# COR section start
cor_report_enabled = true
cor_report_name = "vertice-cor-reports"
# COR section end
governance_role_external_id = "<provided ExternalId value>"
providers = {
aws = aws
aws.us-east-1 = aws.us-east-1
}
}
provider "aws" {
region = "us-west-2" # Replace with desired region for the CUR S3 bucket
}
# Cost and Usage Report only exists in us-east-1
provider "aws" {
alias = "us-east-1"
region = "us-east-1"
}
terraform {
required_version = ">= 1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.64.0"
# A provider alias for us-east-1 region is needed because CUR is available only there.
configuration_aliases = [
aws,
aws.us-east-1
]
}
}
}The module supports the Split Cost Allocation Data opt-in feature of the Cost and Usage Report, which provides more granular data for ECS/EKS usage. Please note that this feature may increase your costs slightly due to a larger volume of usage data generated.
To enable this feature:
- Opt in to Split Cost Allocation Data in the Cost Management Preferences page of the AWS Console (Step 1 of the guide above).
- Set the
cur_report_split_cost_data = truevariable on this module.
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| aws | >= 5.64.0, < 6.0.0 |
No providers.
| Name | Description | Type | Required |
|---|---|---|---|
| account_type | The type of the AWS account. The possible values are billing, member and combined.Use billing if the target account is only for billing purposes (generating CUR report and exporting it to Vertice via S3 bucket).Use member if the account contains active workload and you want to allow VerticeGovernance role to perform spend optimization actions in the account on your behalf.Use combined for both of the above. |
string |
yes |
| billing_policy_addons | Enable optional add-ons for the billing/combined account IAM policy. |
object({ |
no |
| cur_bucket_enabled | Whether to enable the module that creates S3 bucket for Cost Usage Report data. | bool |
no |
| cur_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
no |
| cur_bucket_lifecycle_rules | List of maps containing configuration of object lifecycle management on the S3 bucket holding CUR data. | any |
no |
| cur_bucket_name | The name of the bucket which will be used to store the CUR data for Vertice. | string |
no |
| cur_bucket_versioning | Map containing versioning configuration on the S3 bucket holding CUR data. | map(string) |
no |
| cur_report_enabled | Whether to enable the module that creates S3 bucket for Cost Usage Report data. | bool |
no |
| cur_report_name | The name of the CUR report for Vertice. | string |
no |
| cur_report_s3_prefix | The prefix for the S3 bucket path to where the CUR data will be saved. | string |
no |
| cur_report_split_cost_data | Enable Split Cost Allocation Data inclusion in CUR. Note that manual opt-in is needed in AWS Console. | bool |
no |
| data_export_columns | List of column names to select from the COST_OPTIMIZATION_RECOMMENDATIONS table. | list(string) |
no |
| data_export_enabled | Enable AWS Data Export functionality. | bool |
no |
| data_export_name | The name of the AWS Data Export created for Vertice. | string |
no |
| data_export_s3_prefix | The prefix for the S3 bucket path where the AWS Data Export data will be saved. | string |
no |
| data_export_table_config | COR table configurations; see https://docs.aws.amazon.com/cur/latest/userguide/table-dictionary-cor.html for details. | object({ |
no |
| governance_role_additional_policy_json | Custom additional policy in JSON format to attach to VerticeGovernance role. Default is null for no additional policy. | string |
no |
| governance_role_assume_policy_json | Optional override for VerticeGovernanceRole assume policy. Default assume role policy is constructed if this is not provided. | string |
no |
| governance_role_enabled | Whether to enable the module that creates VerticeGovernance role for the Cloud Cost Optimization. | bool |
no |
| governance_role_external_id | STS external ID value to require for assuming the governance role. Required if the governance IAM role is to be created. You will receive this from Vertice. | string |
no |
| vertice_account_ids | List of Account IDs, which are allowed to access the Vertice cross account role. | list(string) |
no |
| Name | Description |
|---|---|
| cur_report_name | Name of the CUR report created. |
| cur_report_s3_prefix | Name of the S3 prefix used by the CUR report. |
| data_export_name | Name of the COR report created. |
| data_export_s3_prefix | Name of the S3 prefix used by the COR report. |
| vertice_account_ids | Account IDs of Vertice allowed to access your AWS resources. |
| vertice_governance_role_arn | The ARN of VerticeGovernance role created. |
| vertice_governance_role_name | The name of VerticeGovernance role created. |