FEATURE ASH-249: Add ElastiCache, ES, Redshift reservation rights (#52)

kristian-lesko · web-flow · commit be5cb01a0d9a · 2024-10-09T11:53:28.000+02:00
diff --git a/README.md b/README.md
@@ -104,7 +104,7 @@ No providers.
 | Name | Description | Type | Required |
 |------|-------------|------|:--------:|
 | <a name="input_account_type"></a> [account\_type](#input\_account\_type) | The type of the AWS account. The possible values are `billing`, `member` and `combined`.<br>Use `billing` if the target account is only for billing purposes (generating CUR report and exporting it to Vertice via S3 bucket).<br>Use `member` if the account contains active workload and you want to allow `VerticeGovernance` role to perform spend optimization actions in the account on your behalf.<br>Use `combined` for both of the above. | `string` | yes |
-| <a name="input_billing_policy_addons"></a> [billing\_policy\_addons](#input\_billing\_policy\_addons) | Enable optional add-ons for the `billing`/`combined` account IAM policy. | <pre>object({<br>    ec2_ri = optional(bool, true),<br>    rds_ri = optional(bool, true),<br>  })</pre> | no |
+| <a name="input_billing_policy_addons"></a> [billing\_policy\_addons](#input\_billing\_policy\_addons) | Enable optional add-ons for the `billing`/`combined` account IAM policy. | <pre>object({<br>    elasticache_ri = optional(bool, true),<br>    ec2_ri         = optional(bool, true),<br>    es_ri          = optional(bool, true),<br>    rds_ri         = optional(bool, true),<br>    redshift_ri    = optional(bool, true),<br>  })</pre> | no |
 | <a name="input_cur_bucket_enabled"></a> [cur\_bucket\_enabled](#input\_cur\_bucket\_enabled) | Whether to enable the module that creates S3 bucket for Cost Usage Report data. | `bool` | no |
 | <a name="input_cur_bucket_force_destroy"></a> [cur\_bucket\_force\_destroy](#input\_cur\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
 | <a name="input_cur_bucket_lifecycle_rules"></a> [cur\_bucket\_lifecycle\_rules](#input\_cur\_bucket\_lifecycle\_rules) | List of maps containing configuration of object lifecycle management on the S3 bucket holding CUR data. | `any` | no |
diff --git a/modules/vertice-governance-role/README.md b/modules/vertice-governance-role/README.md
@@ -47,7 +47,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_type"></a> [account\_type](#input\_account\_type) | The type of the AWS account. The possible values are `billing`, `member` and `combined`.<br>Use `billing` if the target account is only for billing purposes (generating CUR report and exporting it to Vertice via S3 bucket).<br>Use `member` if the account contains active workload and you want to allow `VerticeGovernance` role to perform spend optimization actions in the account on your behalf.<br>Use `combined` for both of the above. | `string` | n/a | yes |
-| <a name="input_billing_policy_addons"></a> [billing\_policy\_addons](#input\_billing\_policy\_addons) | Enable optional add-ons for the `billing`/`combined` account IAM policy. | <pre>object({<br>    ec2_ri = optional(bool, true),<br>    rds_ri = optional(bool, true),<br>  })</pre> | `{}` | no |
+| <a name="input_billing_policy_addons"></a> [billing\_policy\_addons](#input\_billing\_policy\_addons) | Enable optional add-ons for the `billing`/`combined` account IAM policy. | <pre>object({<br>    elasticache_ri = optional(bool, true),<br>    ec2_ri         = optional(bool, true),<br>    es_ri          = optional(bool, true),<br>    rds_ri         = optional(bool, true),<br>    redshift_ri    = optional(bool, true),<br>  })</pre> | `{}` | no |
 | <a name="input_cur_bucket_name"></a> [cur\_bucket\_name](#input\_cur\_bucket\_name) | The name of the bucket which will be used to store the CUR data for Vertice. | `string` | `null` | no |
 | <a name="input_data_export_enabled"></a> [data\_export\_enabled](#input\_data\_export\_enabled) | Include policy enabling access to AWS Data Exports. | `bool` | `false` | no |
 | <a name="input_governance_role_additional_policy_json"></a> [governance\_role\_additional\_policy\_json](#input\_governance\_role\_additional\_policy\_json) | Custom additional policy in JSON format to attach to VerticeGovernance role. Default is `null` for no additional policy. | `string` | `null` | no |
diff --git a/modules/vertice-governance-role/iam_policies.tf b/modules/vertice-governance-role/iam_policies.tf
@@ -93,6 +93,20 @@ data "aws_iam_policy_document" "vertice_billing_access" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.billing_policy_addons.elasticache_ri ? [1] : []
+    content {
+      sid    = "VerticeElastiCacheReservedInstancesAccess"
+      effect = "Allow"
+      actions = [
+        "elasticache:DescribeReservedCacheNodes",
+        "elasticache:DescribeReservedCacheNodesOfferings",
+        "elasticache:PurchaseReservedCacheNodesOffering",
+      ]
+      resources = ["*"]
+    }
+  }
+
   dynamic "statement" {
     for_each = var.billing_policy_addons.ec2_ri ? [1] : []
     content {
@@ -115,6 +129,20 @@ data "aws_iam_policy_document" "vertice_billing_access" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.billing_policy_addons.es_ri ? [1] : []
+    content {
+      sid    = "VerticeOpenSearchReservedInstancesAccess"
+      effect = "Allow"
+      actions = [
+        "es:DescribeReservedInstanceOfferings",
+        "es:DescribeReservedInstances",
+        "es:PurchaseReservedInstanceOffering",
+      ]
+      resources = ["*"]
+    }
+  }
+
   dynamic "statement" {
     for_each = var.billing_policy_addons.rds_ri ? [1] : []
     content {
@@ -129,6 +157,20 @@ data "aws_iam_policy_document" "vertice_billing_access" {
       resources = ["*"]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.billing_policy_addons.redshift_ri ? [1] : []
+    content {
+      sid    = "VerticeRedshiftReservedInstancesAccess"
+      effect = "Allow"
+      actions = [
+        "redshift:DescribeReservedNodeOfferings",
+        "redshift:DescribeReservedNodes",
+        "redshift:PurchaseReservedNodeOffering",
+      ]
+      resources = ["*"]
+    }
+  }
 }
 
 resource "aws_iam_policy" "vertice_billing_access" {
diff --git a/modules/vertice-governance-role/variables.tf b/modules/vertice-governance-role/variables.tf
@@ -53,8 +53,11 @@ variable "account_type" {
 variable "billing_policy_addons" {
   description = "Enable optional add-ons for the `billing`/`combined` account IAM policy."
   type = object({
-    ec2_ri = optional(bool, true),
-    rds_ri = optional(bool, true),
+    elasticache_ri = optional(bool, true),
+    ec2_ri         = optional(bool, true),
+    es_ri          = optional(bool, true),
+    rds_ri         = optional(bool, true),
+    redshift_ri    = optional(bool, true),
   })
   default = {}
 }
diff --git a/variables.tf b/variables.tf
@@ -55,8 +55,11 @@ variable "governance_role_additional_policy_json" {
 variable "billing_policy_addons" {
   description = "Enable optional add-ons for the `billing`/`combined` account IAM policy."
   type = object({
-    ec2_ri = optional(bool, true),
-    rds_ri = optional(bool, true),
+    elasticache_ri = optional(bool, true),
+    ec2_ri         = optional(bool, true),
+    es_ri          = optional(bool, true),
+    rds_ri         = optional(bool, true),
+    redshift_ri    = optional(bool, true),
   })
   default = {}
 }
