diff --git a/Makefile b/Makefile
index 2a42925..286e99b 100644
--- a/Makefile
+++ b/Makefile
@@ -70,6 +70,10 @@ upgrade-terraform-example-providers:
init:
@echo "--> Running terraform init"
@terraform init -backend=false
+ @find . -type f -name "*.tf" -not -path '*.terraform*' -exec dirname {} \; | sort -u | while read -r dir; do \
+ echo "--> Running terraform init in $$dir"; \
+ terraform -chdir=$$dir init -backend=false; \
+ done;
security: init
@echo "--> Running Security checks"
diff --git a/README.md b/README.md
index 925e3a2..a283f30 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
-
## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 5.0 | -| [aws.cost\_analysis](#provider\_aws.cost\_analysis) | ~> 5.0 | -| [aws.management](#provider\_aws.management) | ~> 5.0 | +No providers. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [dashboards\_bucket\_name](#input\_dashboards\_bucket\_name) | The name of the bucket to store the dashboards configurations | `string` | n/a | yes | -| [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes | -| [additional\_payer\_accounts](#input\_additional\_payer\_accounts) | List of additional payer accounts to be included in the collectors module | `list(string)` | `[]` | no | -| [enable\_backup\_module](#input\_enable\_backup\_module) | Indicates if the Backup module should be enabled | `bool` | `true` | no | -| [enable\_budgets\_module](#input\_enable\_budgets\_module) | Indicates if the Budget module should be enabled | `bool` | `true` | no | -| [enable\_compute\_optimizer\_dashboard](#input\_enable\_compute\_optimizer\_dashboard) | Indicates if the Compute Optimizer dashboard should be enabled | `bool` | `true` | no | -| [enable\_compute\_optimizer\_module](#input\_enable\_compute\_optimizer\_module) | Indicates if the Compute Optimizer module should be enabled | `bool` | `true` | no | -| [enable\_cora\_data\_exports](#input\_enable\_cora\_data\_exports) | Indicates if the CORA Data Exports module should be enabled | `bool` | `false` | no | -| [enable\_cost\_anomaly\_module](#input\_enable\_cost\_anomaly\_module) | Indicates if the Cost Anomaly module should be enabled | `bool` | `true` | no | -| [enable\_cost\_intelligence\_dashboard](#input\_enable\_cost\_intelligence\_dashboard) | Indicates if the Cost Intelligence dashboard should be enabled | `bool` | `true` | no | -| [enable\_cudos\_dashboard](#input\_enable\_cudos\_dashboard) | Indicates if the CUDOS dashboard should be enabled | `bool` | `false` | no | -| [enable\_cudos\_v5\_dashboard](#input\_enable\_cudos\_v5\_dashboard) | Indicates if the CUDOS V5 framework should be enabled | `bool` | `true` | no | -| [enable\_ecs\_chargeback\_module](#input\_enable\_ecs\_chargeback\_module) | Indicates if the ECS Chargeback module should be enabled | `bool` | `false` | no | -| [enable\_health\_events](#input\_enable\_health\_events) | Indicates if the Health Events module should be enabled | `bool` | `true` | no | -| [enable\_inventory\_module](#input\_enable\_inventory\_module) | Indicates if the Inventory module should be enabled | `bool` | `true` | no | -| [enable\_kpi\_dashboard](#input\_enable\_kpi\_dashboard) | Indicates if the KPI dashboard should be enabled | `bool` | `true` | no | -| [enable\_license\_manager\_module](#input\_enable\_license\_manager\_module) | Indicates if the License Manager module should be enabled | `bool` | `false` | no | -| [enable\_org\_data\_module](#input\_enable\_org\_data\_module) | Indicates if the Organization Data module should be enabled | `bool` | `true` | no | -| [enable\_prerequisites\_quicksight](#input\_enable\_prerequisites\_quicksight) | Indicates if the prerequisites for QuickSight should be enabled | `bool` | `true` | no | -| [enable\_prerequisites\_quicksight\_permissions](#input\_enable\_prerequisites\_quicksight\_permissions) | Indicates if the prerequisites for QuickSight permissions should be enabled | `bool` | `true` | no | -| [enable\_quicksight\_subscription](#input\_enable\_quicksight\_subscription) | Enable QuickSight subscription | `bool` | `false` | no | -| [enable\_rds\_utilization\_module](#input\_enable\_rds\_utilization\_module) | Indicates if the RDS Utilization module should be enabled | `bool` | `true` | no | -| [enable\_rightsizing\_module](#input\_enable\_rightsizing\_module) | Indicates if the Rightsizing module should be enabled | `bool` | `true` | no | -| [enable\_scad](#input\_enable\_scad) | Indicates if the SCAD module should be enabled, only available when Cora enabled | `bool` | `false` | no | -| [enable\_sso](#input\_enable\_sso) | Enable integration with identity center for QuickSight | `bool` | `true` | no | -| [enable\_tao\_dashboard](#input\_enable\_tao\_dashboard) | Indicates if the TAO dashboard should be enabled | `bool` | `false` | no | -| [enable\_tao\_module](#input\_enable\_tao\_module) | Indicates if the TAO module should be enabled | `bool` | `true` | no | -| [enable\_transit\_gateway\_module](#input\_enable\_transit\_gateway\_module) | Indicates if the Transit Gateway module should be enabled | `bool` | `true` | no | -| [quicksight\_groups](#input\_quicksight\_groups) | Map of groups with user membership to be added to QuickSight |
map(object({| `{}` | no | -| [quicksight\_subscription\_account\_name](#input\_quicksight\_subscription\_account\_name) | The account name for the QuickSight quicksight\_subscription edition | `string` | `null` | no | -| [quicksight\_subscription\_authentication\_method](#input\_quicksight\_subscription\_authentication\_method) | The identity for the QuickSight quicksight\_subscription edition | `string` | `"IAM_AND_QUICKSIGHT"` | no | -| [quicksight\_subscription\_edition](#input\_quicksight\_subscription\_edition) | The edition for the QuickSight quicksight\_subscription | `string` | `"ENTERPRISE"` | no | -| [quicksight\_subscription\_email](#input\_quicksight\_subscription\_email) | The email address for the QuickSight quicksight\_subscription edition | `string` | `null` | no | -| [quicksight\_users](#input\_quicksight\_users) | Map of user accounts to be registered in QuickSight |
description = optional(string)
namespace = optional(string)
members = optional(list(string), [])
}))
map(object({| `{}` | no | -| [quicksights\_username](#input\_quicksights\_username) | The username for the QuickSight user | `string` | `"admin"` | no | -| [saml\_metadata](#input\_saml\_metadata) | The configuration for the SAML identity provider | `string` | `null` | no | -| [stack\_name\_cloud\_intelligence](#input\_stack\_name\_cloud\_intelligence) | The name of the CloudFormation stack to create the dashboards | `string` | `"CI-Cloud-Intelligence-Dashboards"` | no | -| [stack\_name\_collectors](#input\_stack\_name\_collectors) | The name of the CloudFormation stack to create the collectors | `string` | `"CidDataCollectionStack"` | no | -| [stack\_name\_cora\_data\_exports\_destination](#input\_stack\_name\_cora\_data\_exports\_destination) | The name of the CloudFormation stack to create the CORA Data Exports | `string` | `"CidCoraCoraDataExportsDestinationStack"` | no | -| [stack\_name\_cora\_data\_exports\_source](#input\_stack\_name\_cora\_data\_exports\_source) | The name of the CloudFormation stack to create the CORA Data Exports | `string` | `"CidCoraCoraDataExportsSourceStack"` | no | -| [stack\_name\_read\_permissions](#input\_stack\_name\_read\_permissions) | The name of the CloudFormation stack to create the collectors | `string` | `"CidDataCollectionReadPermissionsStack"` | no | -| [stacks\_bucket\_name](#input\_stacks\_bucket\_name) | The name of the bucket to store the CloudFormation templates | `string` | `"cid-cloudformation-templates"` | no | +No inputs. ## Outputs -| Name | Description | -|------|-------------| -| [cloudformation\_bucket\_arn](#output\_cloudformation\_bucket\_arn) | The ARN of the bucket to store the CloudFormation templates | -| [cloudformation\_bucket\_name](#output\_cloudformation\_bucket\_name) | The name of the bucket to store the CloudFormation templates | -| [cloudformation\_bucket\_short\_url](#output\_cloudformation\_bucket\_short\_url) | The domain name of the bucket to store the CloudFormation templates | -| [cloudformation\_bucket\_website\_url](#output\_cloudformation\_bucket\_website\_url) | The URL for the bucket to store the CloudFormation templates | -| [destination\_account\_id](#output\_destination\_account\_id) | The account ID of the destination bucket | -| [destination\_bucket\_arn](#output\_destination\_bucket\_arn) | The ARN of the destination bucket | -| [destination\_bucket\_name](#output\_destination\_bucket\_name) | The name of the destination bucket | -| [destination\_bucket\_short\_url](#output\_destination\_bucket\_short\_url) | The domain name of the destination bucket | -| [destination\_bucket\_website\_url](#output\_destination\_bucket\_website\_url) | The URL for the destination bucket | -| [source\_account\_id](#output\_source\_account\_id) | The account ID of the source account i.e. the management account | +No outputs. - diff --git a/data.tf b/data.tf deleted file mode 100644 index 5ef96c2..0000000 --- a/data.tf +++ /dev/null @@ -1,19 +0,0 @@ - -## Find the current identity for the cost analysis session -data "aws_caller_identity" "cost_analysis" { - provider = aws.cost_analysis -} - -## Find the account id for the management account -data "aws_caller_identity" "management" { - provider = aws.management -} - -## Find the current organization -data "aws_organizations_organization" "current" { - provider = aws.management -} -## Find the current region -data "aws_region" "cost_analysis" { - provider = aws.cost_analysis -} diff --git a/appvia_banner.jpg b/docs/banner.jpg similarity index 100% rename from appvia_banner.jpg rename to docs/banner.jpg diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl index 05881aa..81e5bac 100644 --- a/examples/basic/.terraform.lock.hcl +++ b/examples/basic/.terraform.lock.hcl @@ -2,47 +2,47 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.45.0" - constraints = ">= 5.0.0" + version = "5.74.0" + constraints = ">= 3.0.0, >= 5.0.0, ~> 5.0, >= 5.27.0" hashes = [ - "h1:8m3+C1VNevzU/8FsABoKp2rTOx3Ue7674INfhfk0TZY=", - "zh:1379bcf45aef3d486ee18b4f767bfecd40a0056510d26107f388be3d7994c368", - "zh:1615a6f5495acfb3a0cb72324587261dd4d72711a3cc51aff13167b14531501e", - "zh:18b69a0f33f8b1862fbd3f200756b7e83e087b73687085f2cf9c7da4c318e3e6", - "zh:2c5e7aecd197bc3d3b19290bad8cf4c390c2c6a77bb165da4e11f53f2dfe2e54", - "zh:3794da9bef97596e3bc60e12cdd915bda5ec2ed62cd1cd93723d58b4981905fe", - "zh:40a5e45ed91801f83db76dffd467dcf425ea2ca8642327cf01119601cb86021c", - "zh:4abfc3f53d0256a7d5d1fa5e931e4601b02db3d1da28f452341d3823d0518f1a", - "zh:4eb0e98078f79aeb06b5ff6115286dc2135d12a80287885698d04036425494a2", - "zh:75470efbadea4a8d783642497acaeec5077fc4a7f3df3340defeaa1c7de29bf7", - "zh:8861a0b4891d5fa2fa7142f236ae613cea966c45b5472e3915a4ac3abcbaf487", - "zh:8bf6f21cd9390b742ca0b4393fde92616ca9e6553fb75003a0999006ad233d35", + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:ad73008a044e75d337acda910fb54d8b81a366873c8a413fec1291034899a814", - "zh:bf261713b0b8bebfe8c199291365b87d9043849f28a2dc764bafdde73ae43693", - "zh:da3bafa1fd830be418dfcc730e85085fe67c0d415c066716f2ac350a2306f40a", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", ] } provider "registry.terraform.io/hashicorp/awscc" { - version = "0.74.0" + version = "1.19.0" constraints = ">= 0.11.0" hashes = [ - "h1:Ul1832evjT1Gu2DOH9sw4WxBbPOf7NHLJ3UfG/SAnqU=", - "zh:033b1bf5b8b0fa412aa7e09610d03f603b83b91ba78dfc26548c450b16bdaa6a", - "zh:1069cf96afe3e3b14f4934706523afeb07938f53a1e78567d2dcb4b336886ff2", - "zh:25561adfb2ea86c21db300ec16f2b34f80babe0b8290efb28074c56e64f889e5", - "zh:5136f6b60f8f64ea902ddd8694818d94d4508aa20b67284ee73053446bd3717d", - "zh:5b6d010847de9ecc6f3d05dd2c3771b25a44fb53cc81133acefe810b868514a7", - "zh:64426f51d1d96637c354e58a3629c3ba1286be2dbe8e8cce09d2f0aa3f08e064", - "zh:6addfc79b9fd7012741f0b966ad30729cea9966bf653cb7bf61592b8881d388e", - "zh:71b742c71699b25d1b51d4179a23564f295829568711b2137eb1c16df1867a75", - "zh:8638a9eef6e2dd9d4351236620d5217124f65eb319365cefd275ab2ed743bf07", - "zh:93ac5394c70aac348a4cf52e2d12187f89aca3c42769b0be3b6371fa3db6266c", - "zh:95a8c81b3c453db533fa476f0d03075a1032b76ea8d342637ee92d3b04254c95", - "zh:bc00447a578f533f690214e2be641af60ccd6f0a4f9b9b46e1abeac841205c88", - "zh:c63406c121f66b77ebd202dd673f324cb4dd6b5d8d11f68ef6dcc23d6ee8730d", - "zh:f3537bd1fa5e5fdee3a9a39016c0681d3f88b2105835aae980e9aada876efdd4", + "h1:RuObcNRltFowO6sYBca/yo+wQnqUyUv26mLW9nqM0Mw=", + "zh:080eac85cc5a7f626d2f45241741d0d9d6437b8402875c3a4d929b51eebbd00e", + "zh:1088a52b79cb97dc2457a35acf137a5730d44a3cf96e3bed5550f4ab0504c914", + "zh:44c1a24b7c7dd0a123ca4d8af72e4aeba8661d394c5a816445e16470552710f1", + "zh:4e4a88359cec750646cf121d6ffb83f1c8dc18b3f5a1e495e14d41b7dacf2dba", + "zh:4f3954ef869cde3e302ec34c2f29809cef18ea9e1228d2a236496937dd7267b8", + "zh:6b1f0960b004cdd24ee8de02c6dbea558a1ff395d8c5713747d98ce1751f11b2", + "zh:6c36ed71471ad94f4f0d2bb4f8934a3fab002caf4a717179551b5ad54f5759ad", + "zh:b3bf6ad70a2fe10e26d64113e085dcd27da2262b97283572d2882c3f087e2bae", + "zh:b6d68048bebd2598c4051fa7f5661d1a12b0d65c233c3597df1d61dc857f9aa7", + "zh:c77c2178dd1cd35dfe591ad5630c8eed8b1e60d71a6199c88e40f5175e657cb9", + "zh:d09eba5889a97553a8047cb44ceb352d9780658a363ffc4bd693b665627209e5", + "zh:ddad8b1f75708adbe9b50701d3ab5bbc305f80dd2e59193488ae89d9be3e57f9", + "zh:eb683c5091a171d93741e0b82ad487fd962af21df456f22a304dec0a2b39b5d2", "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32", + "zh:fd808721ef4d60a0b03f1ae548eb2f40d6395acbe5b317089017cc1990e22ac7", ] } diff --git a/examples/basic/README.md b/examples/basic/README.md index 9e67613..ea159e2 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -7,7 +7,6 @@ No providers. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [dashboard\_bucket\_name](#input\_dashboard\_bucket\_name) | The name of the bucket to store the dashboards | `string` | `"dashboard-bucket-dev"` | no | | [quicksights\_username](#input\_quicksights\_username) | The username to use for QuickSight | `string` | `"admin"` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` |
identity_type = optional(string, "IAM")
namespace = optional(string, "default")
role = optional(string, "READER")
}))
{| no | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 4a6dcaf..650af6b 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -4,25 +4,50 @@ # to build your own root module that invokes this module ##################################################################################### -module "cudos_framework" { - source = "../.." - - dashboards_bucket_name = var.dashboard_bucket_name - enable_compute_optimizer_dashboard = true - enable_cost_intelligence_dashboard = true - enable_cudos_dashboard = true - enable_cudos_v5_dashboard = true - enable_kpi_dashboard = true - enable_sso = true - enable_tao_dashboard = false - saml_metadata = file("${path.module}/assets/saml-metadata.xml") - quicksights_username = var.quicksights_username - tags = var.tags +locals { + ## Name of the bucket where the cloudformation scripts are stored + cloudformation_bucket_name = "cid-cloudformation-templates" + ## Name of the bucket where the dashboards are stored + dashboard_bucket_name = "cid-dashboards" +} + +module "destination" { + source = "../../modules/destination" + + cloudformation_bucket_name = local.cloudformation_bucket_name + dashboards_bucket_name = local.dashboard_bucket_name + enable_sso = true + payer_accounts = ["1234343434"] + quicksights_username = var.quicksights_username + saml_metadata = file("${path.module}/assets/saml-metadata.xml") + tags = var.tags + + providers = { + aws = aws.cost_analysis + aws.us_east_1 = aws.cost_analysis_us_east_1 + } +} + +module "source" { + source = "../../modules/source" + + ## The account id for the destination below + destination_account_id = "1234343434" + destination_bucket_arn = module.destination.destination_bucket_arn + enable_backup_module = true + enable_budgets_module = true + enable_cora_data_exports = true + enable_ecs_chargeback_module = true + enable_health_events_module = true + enable_inventory_module = true + enable_rds_utilization_module = true + enable_scad = true + stacks_bucket_name = local.cloudformation_bucket_name + tags = var.tags providers = { - aws.management = aws.management - aws.management_us_east_1 = aws.management_us_east_1 - aws.cost_analysis = aws.cost_analysis - aws.cost_analysis_us_east_1 = aws.cost_analysis_us_east_1 + aws = aws.management + aws.us_east_1 = aws.management_us_east_1 } } + diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index 4f06a0a..6800124 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -1,10 +1,4 @@ -variable "dashboard_bucket_name" { - description = "The name of the bucket to store the dashboards" - type = string - default = "dashboard-bucket-dev" -} - variable "tags" { description = "A map of tags to add to all resources" type = map(string) diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 27e2413..0000000 --- a/locals.tf +++ /dev/null @@ -1,31 +0,0 @@ - -locals { - ## The region where the stack is being deployed - region = data.aws_region.cost_analysis.name - - ## Is the account id for the cost analysis account - cost_analysis_account_id = data.aws_caller_identity.cost_analysis.account_id - ## Is the management account id - management_account_id = data.aws_caller_identity.management.account_id - ## Is the organization root id - organization_root_id = data.aws_organizations_organization.current.roots[0].id - ## The s3 bucket name for the cloudformation scripts - stacks_base_url = format("https://%s.s3.%s.amazonaws.com", var.stacks_bucket_name, local.region) - ## Is the user mappings for the quicksight groups - user_group_mappings = merge([ - for n, g in var.quicksight_groups : { - for u in g.members : - join("-", [n, u]) => { - user = u - group = n - } - } if var.enable_sso - ]...) - - ## Is the payer account id used in the collection configuration - payer_account_ids = distinct(sort(concat([local.management_account_id], var.additional_payer_accounts))) - - ## Is the list of accounts permitted to retrieve the cloudformation templates - cloudformation_accounts_ids = distinct(concat([local.management_account_id, local.cost_analysis_account_id], var.additional_payer_accounts)) -} - diff --git a/modules/destination/.terraform.lock.hcl b/modules/destination/.terraform.lock.hcl new file mode 100644 index 0000000..78d0674 --- /dev/null +++ b/modules/destination/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 3.0.0, ~> 5.0, >= 5.27.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} diff --git a/modules/destination/README.md b/modules/destination/README.md new file mode 100644 index 0000000..c67b50e --- /dev/null +++ b/modules/destination/README.md @@ -0,0 +1,61 @@ + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.0 | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudformation\_bucket\_name](#input\_cloudformation\_bucket\_name) | The name of the bucket to store the CloudFormation | `string` | n/a | yes | +| [dashboards\_bucket\_name](#input\_dashboards\_bucket\_name) | The name of the bucket to store the dashboards configurations | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes | +| [enable\_backup\_module](#input\_enable\_backup\_module) | Indicates if the Backup module should be enabled | `bool` | `true` | no | +| [enable\_budgets\_module](#input\_enable\_budgets\_module) | Indicates if the Budget module should be enabled | `bool` | `true` | no | +| [enable\_compute\_optimizer\_dashboard](#input\_enable\_compute\_optimizer\_dashboard) | Indicates if the Compute Optimizer dashboard should be enabled | `bool` | `true` | no | +| [enable\_compute\_optimizer\_module](#input\_enable\_compute\_optimizer\_module) | Indicates if the Compute Optimizer module should be enabled | `bool` | `true` | no | +| [enable\_cora\_data\_exports](#input\_enable\_cora\_data\_exports) | Indicates if the CORA Data Exports module should be enabled | `bool` | `false` | no | +| [enable\_cost\_anomaly\_module](#input\_enable\_cost\_anomaly\_module) | Indicates if the Cost Anomaly module should be enabled | `bool` | `true` | no | +| [enable\_cost\_intelligence\_dashboard](#input\_enable\_cost\_intelligence\_dashboard) | Indicates if the Cost Intelligence dashboard should be enabled | `bool` | `true` | no | +| [enable\_cudos\_dashboard](#input\_enable\_cudos\_dashboard) | Indicates if the CUDOS dashboard should be enabled | `bool` | `false` | no | +| [enable\_cudos\_v5\_dashboard](#input\_enable\_cudos\_v5\_dashboard) | Indicates if the CUDOS V5 framework should be enabled | `bool` | `true` | no | +| [enable\_ecs\_chargeback\_module](#input\_enable\_ecs\_chargeback\_module) | Indicates if the ECS Chargeback module should be enabled | `bool` | `false` | no | +| [enable\_health\_events](#input\_enable\_health\_events) | Indicates if the Health Events module should be enabled | `bool` | `true` | no | +| [enable\_inventory\_module](#input\_enable\_inventory\_module) | Indicates if the Inventory module should be enabled | `bool` | `true` | no | +| [enable\_kpi\_dashboard](#input\_enable\_kpi\_dashboard) | Indicates if the KPI dashboard should be enabled | `bool` | `true` | no | +| [enable\_license\_manager\_module](#input\_enable\_license\_manager\_module) | Indicates if the License Manager module should be enabled | `bool` | `false` | no | +| [enable\_org\_data\_module](#input\_enable\_org\_data\_module) | Indicates if the Organization Data module should be enabled | `bool` | `true` | no | +| [enable\_prerequisites\_quicksight](#input\_enable\_prerequisites\_quicksight) | Indicates if the prerequisites for QuickSight should be enabled | `bool` | `true` | no | +| [enable\_prerequisites\_quicksight\_permissions](#input\_enable\_prerequisites\_quicksight\_permissions) | Indicates if the prerequisites for QuickSight permissions should be enabled | `bool` | `true` | no | +| [enable\_quicksight\_subscription](#input\_enable\_quicksight\_subscription) | Enable QuickSight subscription | `bool` | `false` | no | +| [enable\_rds\_utilization\_module](#input\_enable\_rds\_utilization\_module) | Indicates if the RDS Utilization module should be enabled | `bool` | `true` | no | +| [enable\_rightsizing\_module](#input\_enable\_rightsizing\_module) | Indicates if the Rightsizing module should be enabled | `bool` | `true` | no | +| [enable\_scad](#input\_enable\_scad) | Indicates if the SCAD module should be enabled, only available when Cora enabled | `bool` | `false` | no | +| [enable\_sso](#input\_enable\_sso) | Enable integration with identity center for QuickSight | `bool` | `true` | no | +| [enable\_tao\_dashboard](#input\_enable\_tao\_dashboard) | Indicates if the TAO dashboard should be enabled | `bool` | `false` | no | +| [enable\_tao\_module](#input\_enable\_tao\_module) | Indicates if the TAO module should be enabled | `bool` | `true` | no | +| [enable\_transit\_gateway\_module](#input\_enable\_transit\_gateway\_module) | Indicates if the Transit Gateway module should be enabled | `bool` | `true` | no | +| [payer\_accounts](#input\_payer\_accounts) | List of additional payer accounts to be included in the collectors module | `list(string)` | `[]` | no | +| [quicksight\_groups](#input\_quicksight\_groups) | Map of groups with user membership to be added to QuickSight |
"Environment": "Production"
}
map(object({| `{}` | no | +| [quicksight\_subscription\_account\_name](#input\_quicksight\_subscription\_account\_name) | The account name for the QuickSight quicksight\_subscription edition | `string` | `null` | no | +| [quicksight\_subscription\_authentication\_method](#input\_quicksight\_subscription\_authentication\_method) | The identity for the QuickSight quicksight\_subscription edition | `string` | `"IAM_AND_QUICKSIGHT"` | no | +| [quicksight\_subscription\_edition](#input\_quicksight\_subscription\_edition) | The edition for the QuickSight quicksight\_subscription | `string` | `"ENTERPRISE"` | no | +| [quicksight\_subscription\_email](#input\_quicksight\_subscription\_email) | The email address for the QuickSight quicksight\_subscription edition | `string` | `null` | no | +| [quicksight\_users](#input\_quicksight\_users) | Map of user accounts to be registered in QuickSight |
description = optional(string)
namespace = optional(string)
members = optional(list(string), [])
}))
map(object({| `{}` | no | +| [quicksights\_username](#input\_quicksights\_username) | The username for the QuickSight user | `string` | `"admin"` | no | +| [saml\_metadata](#input\_saml\_metadata) | The configuration for the SAML identity provider | `string` | `null` | no | +| [stack\_name\_cloud\_intelligence](#input\_stack\_name\_cloud\_intelligence) | The name of the CloudFormation stack to create the dashboards | `string` | `"CI-Cloud-Intelligence-Dashboards"` | no | +| [stack\_name\_collectors](#input\_stack\_name\_collectors) | The name of the CloudFormation stack to create the collectors | `string` | `"CidDataCollectionStack"` | no | +| [stack\_name\_cora\_data\_exports](#input\_stack\_name\_cora\_data\_exports) | The name of the CloudFormation stack to create the CORA Data Exports | `string` | `"CidCoraCoraDataExportsDestinationStack"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cloudformation\_bucket\_arn](#output\_cloudformation\_bucket\_arn) | The name of the bucket where to store the CloudFormation | +| [dashboard\_bucket\_arn](#output\_dashboard\_bucket\_arn) | The name of the bucket where to store the dashboards | +| [destination\_bucket\_arn](#output\_destination\_bucket\_arn) | The name of the bucket where to replicate the data from the CUR | +| [destination\_bucket\_name](#output\_destination\_bucket\_name) | The name of the bucket where to replicate the data from the CUR | + \ No newline at end of file diff --git a/modules/destination/assets/cloudformation/cudos/data-exports-aggregation.yaml b/modules/destination/assets/cloudformation/cudos/data-exports-aggregation.yaml new file mode 120000 index 0000000..e94b02f --- /dev/null +++ b/modules/destination/assets/cloudformation/cudos/data-exports-aggregation.yaml @@ -0,0 +1 @@ +../../../../../assets/cloudformation/cudos/data-exports-aggregation.yaml \ No newline at end of file diff --git a/assets/cloudformation/cudos/deploy-data-collection.yaml b/modules/destination/assets/cloudformation/cudos/deploy-data-collection.yaml similarity index 100% rename from assets/cloudformation/cudos/deploy-data-collection.yaml rename to modules/destination/assets/cloudformation/cudos/deploy-data-collection.yaml diff --git a/modules/destination/data.tf b/modules/destination/data.tf new file mode 100644 index 0000000..ad9ac66 --- /dev/null +++ b/modules/destination/data.tf @@ -0,0 +1,6 @@ + +## Find the current identity for the cost analysis session +data "aws_caller_identity" "current" {} + +## Find the current region +data "aws_region" "current" {} diff --git a/modules/destination/locals.tf b/modules/destination/locals.tf new file mode 100644 index 0000000..715aaa7 --- /dev/null +++ b/modules/destination/locals.tf @@ -0,0 +1,23 @@ + +locals { + ## Is the account id for the cost analysis account + account_id = data.aws_caller_identity.current.account_id + ## Is the payer account id used in the collection configuration + payer_account_ids = distinct(var.payer_accounts) + ## The region where the stack is being deployed + region = data.aws_region.current.name + ## The URL for the s3 bucket containing cloudformation scripts + bucket_url = format("https://%s.s3.%s.amazonaws.com", var.cloudformation_bucket_name, local.region) + + ## Is the user mappings for the quicksight groups + user_group_mappings = merge([ + for n, g in var.quicksight_groups : { + for u in g.members : + join("-", [n, u]) => { + user = u + group = n + } + } if var.enable_sso + ]...) +} + diff --git a/main.tf b/modules/destination/main.tf similarity index 59% rename from main.tf rename to modules/destination/main.tf index 8486f60..b241f7f 100644 --- a/main.tf +++ b/modules/destination/main.tf @@ -1,5 +1,98 @@ -## Provision enterprise quicksight if enabled +## Craft and IAM policy that allows the account to access the bucket +data "aws_iam_policy_document" "bucket_policy" { + statement { + effect = "Allow" + actions = [ + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject", + ] + principals { + type = "AWS" + identifiers = [local.account_id] + } + resources = [ + format("arn:aws:s3:::%s", var.cloudformation_bucket_name), + format("arn:aws:s3:::%s/*", var.cloudformation_bucket_name), + ] + } + + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + principals { + type = "AWS" + identifiers = [local.account_id] + } + resources = [ + format("arn:aws:s3:::%s", var.cloudformation_bucket_name), + format("arn:aws:s3:::%s/*", var.cloudformation_bucket_name), + ] + } +} + +## Provision a bucket used to contain the cloudformation templates +# tfsec:ignore:aws-s3-enable-bucket-logging +module "cloudformation" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.2" + + attach_policy = true + block_public_acls = true + block_public_policy = true + bucket = var.cloudformation_bucket_name + expected_bucket_owner = local.account_id + force_destroy = true + ignore_public_acls = true + object_ownership = "BucketOwnerPreferred" + policy = data.aws_iam_policy_document.bucket_policy.json + restrict_public_buckets = true + tags = var.tags + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + + versioning = { + enabled = true + } +} + +## Create a lifecycle rule to old versions of the objects in the bucket +resource "aws_s3_bucket_lifecycle_configuration" "bucket_lifecycle" { + bucket = module.cloudformation.s3_bucket_id + + rule { + id = "DeleteOldVersions" + status = "Enabled" + + noncurrent_version_expiration { + noncurrent_days = 90 + } + } +} + +## Upload the cloudformation templates to the bucket +resource "aws_s3_object" "cloudformation_templates" { + for_each = fileset("${path.module}/assets/cloudformation/", "**/*.yaml") + + bucket = module.cloudformation.s3_bucket_id + etag = filemd5("${path.module}/assets/cloudformation/${each.value}") + key = each.value + server_side_encryption = "AES256" + source = "${path.module}/assets/cloudformation/${each.value}" +} + +## Provision enterprise quicksight if enabled resource "aws_quicksight_account_subscription" "subscription" { count = var.enable_quicksight_subscription ? 1 : 0 @@ -7,23 +100,19 @@ resource "aws_quicksight_account_subscription" "subscription" { authentication_method = var.quicksight_subscription_authentication_method edition = var.quicksight_subscription_edition notification_email = var.quicksight_subscription_email - - provider = aws.cost_analysis } -## Provision a SAML identity provider in the data collection account - this will be -## used to authenticate sso users into quicksights +## Provision a SAML identity provider in the data collection account - this will be +## used to authenticate sso users into quicksights resource "aws_iam_saml_provider" "saml" { count = var.enable_sso ? 1 : 0 name = "aws-cudos-sso" saml_metadata_document = var.saml_metadata tags = var.tags - - provider = aws.cost_analysis } -## Provision a trust policy for the above SAML identity provider +## Provision a trust policy for the above SAML identity provider data "aws_iam_policy_document" "cudos_sso" { count = var.enable_sso ? 1 : 0 @@ -44,74 +133,36 @@ data "aws_iam_policy_document" "cudos_sso" { } } -## Provision an IAM policy which will be attached to the IAM role and has the -## necessary permissions to access quicksight users, whom have authenticated via -## the SAML identity provider +## Provision an IAM policy which will be attached to the IAM role and has the +## necessary permissions to access quicksight users, whom have authenticated via +## the SAML identity provider data "aws_iam_policy_document" "cudos_sso_permissions" { count = var.enable_sso ? 1 : 0 statement { actions = ["quicksight:CreateReader"] effect = "Allow" - resources = ["arn:aws:quicksight::${local.cost_analysis_account_id}:user/$${aws:userid}"] + resources = ["arn:aws:quicksight::${local.account_id}:user/$${aws:userid}"] } } ## Provision and IAM role to be assumed by the SAML identity provider; this role will -## be used to authenticate users into quicksights +## be used to authenticate users into quicksights resource "aws_iam_role" "cudos_sso" { count = var.enable_sso ? 1 : 0 name = "aws-cudos-sso" assume_role_policy = data.aws_iam_policy_document.cudos_sso[0].json tags = var.tags - - inline_policy { - name = "quicksight-permissions" - policy = data.aws_iam_policy_document.cudos_sso_permissions[0].json - } - - provider = aws.cost_analysis } -## Craft and IAM policy that allows the account to access the bucket -data "aws_iam_policy_document" "stack_bucket_policy" { - statement { - effect = "Allow" - actions = [ - "s3:DeleteObject", - "s3:GetObject", - "s3:ListBucket", - "s3:PutObject", - ] - principals { - type = "AWS" - identifiers = [local.management_account_id] - } - resources = [ - format("arn:aws:s3:::%s", var.stacks_bucket_name), - format("arn:aws:s3:::%s/*", var.stacks_bucket_name), - ] - } +## Attach an inline policy to the IAM role +resource "aws_iam_role_policy" "cudos_sso" { + count = var.enable_sso ? 1 : 0 - statement { - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:ListBucket", - ] - principals { - type = "AWS" - identifiers = [ - local.cost_analysis_account_id, - local.management_account_id, - ] - } - resources = [ - format("arn:aws:s3:::%s", var.stacks_bucket_name), - format("arn:aws:s3:::%s/*", var.stacks_bucket_name), - ] - } + name = "quicksight-permissions" + policy = data.aws_iam_policy_document.cudos_sso_permissions[0].json + role = aws_iam_role.cudos_sso[0].name } ## Craft and IAM policy that allows the account to access the bucket @@ -126,7 +177,7 @@ data "aws_iam_policy_document" "dashboards_bucket_policy" { ] principals { type = "AWS" - identifiers = local.cloudformation_accounts_ids + identifiers = [local.account_id] } resources = [ format("arn:aws:s3:::%s", var.dashboards_bucket_name), @@ -135,68 +186,19 @@ data "aws_iam_policy_document" "dashboards_bucket_policy" { } } - -## Provision a bucket used to contain the cloudformation templates -# tfsec:ignore:aws-s3-enable-bucket-logging -module "cloudformation_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" - - attach_policy = true - block_public_acls = true - block_public_policy = true - bucket = var.stacks_bucket_name - expected_bucket_owner = local.management_account_id - force_destroy = true - ignore_public_acls = true - object_ownership = "BucketOwnerPreferred" - policy = data.aws_iam_policy_document.stack_bucket_policy.json - restrict_public_buckets = true - tags = var.tags - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } - - versioning = { - enabled = true - } - - providers = { - aws = aws.management - } -} - -## Upload the cloudformation templates to the bucket -resource "aws_s3_object" "cloudformation_templates" { - for_each = fileset("${path.module}/assets/cloudformation/", "**/*.yaml") - - bucket = module.cloudformation_bucket.s3_bucket_id - etag = filemd5("${path.module}/assets/cloudformation/${each.value}") - key = each.value - server_side_encryption = "AES256" - source = "${path.module}/assets/cloudformation/${each.value}" - - provider = aws.management -} - ## Provision a bucket used to contain the cudos dashboards - note this ## bucket must be public due to the consuming tterraform module # # tfsec:ignore:aws-s3-enable-bucket-logging module "dashboard_bucket" { source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" + version = "4.2.2" attach_policy = true block_public_acls = true block_public_policy = true bucket = var.dashboards_bucket_name - expected_bucket_owner = local.cost_analysis_account_id + expected_bucket_owner = local.account_id force_destroy = true ignore_public_acls = true object_ownership = "BucketOwnerPreferred" @@ -215,16 +217,12 @@ module "dashboard_bucket" { versioning = { enabled = true } - - providers = { - aws = aws.cost_analysis - } } -## First we configure the collector to accept the CUR (Cost and Usage Report) from the source account +## First we configure the collector to accept the CUR (Cost and Usage Report) from the source account # tfsec:ignore:aws-s3-enable-bucket-logging module "collector" { - source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cur-setup-destination?ref=4.0.5" + source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cur-setup-destination?ref=4.0.2" # Source account whom will be replicating the CUR data to the collector account source_account_ids = local.payer_account_ids @@ -232,85 +230,13 @@ module "collector" { create_cur = false providers = { - aws = aws.cost_analysis - aws.useast1 = aws.cost_analysis_us_east_1 + aws.useast1 = aws.us_east_1 } } -## Setup the replication from the management account to the collector account -## to receive the CUR data -# tfsec:ignore:aws-s3-enable-bucket-logging -# tfsec:ignore:aws-iam-no-policy-wildcards -module "source" { - source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cur-setup-source?ref=4.0.5" - - # The destination bucket to repliaction the CUR data to - destination_bucket_arn = module.collector.cur_bucket_arn - - providers = { - aws = aws.management - aws.useast1 = aws.management_us_east_1 - } -} - -## Provision the stack contain the cora data exports in the management account -## Deployment of same stacko the management account -resource "aws_cloudformation_stack" "core_data_export_management" { - count = var.enable_cora_data_exports ? 1 : 0 - - capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] - name = var.stack_name_cora_data_exports_source - on_failure = "ROLLBACK" - tags = var.tags - template_url = format("%s/cudos/%s", local.stacks_base_url, "data-exports-aggregation.yaml") - - parameters = { - "DestinationAccountId" = local.cost_analysis_account_id, - "EnableSCAD" = var.enable_scad ? "yes" : "no", - "ManageCOH" = "yes", - "ManageCUR2" = "no", - "SourceAccountIds" = local.management_account_id, - } - - lifecycle { - ignore_changes = [ - capabilities, - ] - } - - provider = aws.management -} - -## Provision the Cora data exports in the collector account -resource "aws_cloudformation_stack" "cora_data_export_collector" { - count = var.enable_cora_data_exports ? 1 : 0 - - capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] - name = var.stack_name_cora_data_exports_destination - on_failure = "ROLLBACK" - tags = var.tags - template_url = format("%s/cudos/%s", local.stacks_base_url, "data-exports-aggregation.yaml") - - parameters = { - "DestinationAccountId" = local.cost_analysis_account_id, - "EnableSCAD" = var.enable_scad ? "yes" : "no", - "ManageCOH" = "yes", - "ManageCUR2" = "no", - "SourceAccountIds" = local.management_account_id, - } - - lifecycle { - ignore_changes = [ - capabilities, - ] - } - - provider = aws.cost_analysis -} - ## Provision the cloud intelligence dashboards module "dashboards" { - source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards?ref=4.0.5" + source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards?ref=4.0.2" stack_name = var.stack_name_cloud_intelligence template_bucket = module.dashboard_bucket.s3_bucket_id @@ -329,24 +255,17 @@ module "dashboards" { depends_on = [ module.collector, - module.source, aws_quicksight_account_subscription.subscription, ] - - providers = { - aws = aws.cost_analysis - } } -## We need to provision the read permissions stack in the management account -resource "aws_cloudformation_stack" "cudos_read_permissions" { - name = var.stack_name_read_permissions +## We need to provision the data collection stack in the colletor account +resource "aws_cloudformation_stack" "cudos_data_collection" { + name = var.stack_name_collectors capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] - template_url = format("%s/cudos/%s", local.stacks_base_url, "deploy-data-read-permissions.yaml") + template_url = format("%s/cudos/%s", local.bucket_url, "deploy-data-collection.yaml") parameters = { - "AllowModuleReadInMgmt" = "yes", - "DataCollectionAccountID" = local.cost_analysis_account_id, "IncludeBackupModule" = var.enable_backup_module ? "yes" : "no", "IncludeBudgetsModule" = var.enable_budgets_module ? "yes" : "no", "IncludeComputeOptimizerModule" = var.enable_compute_optimizer_module ? "yes" : "no", @@ -354,53 +273,45 @@ resource "aws_cloudformation_stack" "cudos_read_permissions" { "IncludeECSChargebackModule" = var.enable_ecs_chargeback_module ? "yes" : "no", "IncludeHealthEventsModule" = var.enable_health_events ? "yes" : "no" "IncludeInventoryCollectorModule" = var.enable_inventory_module ? "yes" : "no", + "IncludeLicenseManagerModule" = var.enable_license_manager_module ? "yes" : "no", + "IncludeOrgDataModule" = var.enable_org_data_module ? "yes" : "no", "IncludeRDSUtilizationModule" = var.enable_rds_utilization_module ? "yes" : "no", "IncludeRightsizingModule" = var.enable_rightsizing_module ? "yes" : "no", "IncludeTAModule" = var.enable_tao_module ? "yes" : "no", "IncludeTransitGatewayModule" = var.enable_transit_gateway_module ? "yes" : "no", - "OrganizationalUnitIds" = local.organization_root_id, + "ManagementAccountID" = join(",", local.payer_account_ids), } depends_on = [ aws_s3_object.cloudformation_templates, module.collector, module.dashboards, - module.source, ] - - provider = aws.management } -## We need to provision the data collection stack in the colletor account -resource "aws_cloudformation_stack" "cudos_data_collection" { - name = var.stack_name_collectors +## Provision the stack contain the cora data exports in the management account +## Deployment of same stack the management account +resource "aws_cloudformation_stack" "core_data_export_destination" { + count = var.enable_cora_data_exports ? 1 : 0 + capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] - template_url = format("%s/cudos/%s", local.stacks_base_url, "deploy-data-collection.yaml") + name = var.stack_name_cora_data_exports + on_failure = "ROLLBACK" + tags = var.tags + template_url = format("%s/cudos/%s", local.bucket_url, "data-exports-aggregation.yaml") parameters = { - "IncludeBackupModule" = var.enable_backup_module ? "yes" : "no", - "IncludeBudgetsModule" = var.enable_budgets_module ? "yes" : "no", - "IncludeComputeOptimizerModule" = var.enable_compute_optimizer_module ? "yes" : "no", - "IncludeCostAnomalyModule" = var.enable_cost_anomaly_module ? "yes" : "no", - "IncludeECSChargebackModule" = var.enable_ecs_chargeback_module ? "yes" : "no", - "IncludeHealthEventsModule" = var.enable_health_events ? "yes" : "no" - "IncludeInventoryCollectorModule" = var.enable_inventory_module ? "yes" : "no", - "IncludeLicenseManagerModule" = var.enable_license_manager_module ? "yes" : "no", - "IncludeOrgDataModule" = var.enable_org_data_module ? "yes" : "no", - "IncludeRDSUtilizationModule" = var.enable_rds_utilization_module ? "yes" : "no", - "IncludeRightsizingModule" = var.enable_rightsizing_module ? "yes" : "no", - "IncludeTAModule" = var.enable_tao_module ? "yes" : "no", - "IncludeTransitGatewayModule" = var.enable_transit_gateway_module ? "yes" : "no", - "ManagementAccountID" = join(",", local.payer_account_ids), + "DestinationAccountId" = local.account_id, + "EnableSCAD" = var.enable_scad ? "yes" : "no", + "ManageCOH" = "yes", + "ManageCUR2" = "no", + "SourceAccountIds" = join(",", local.payer_account_ids), } - depends_on = [ - aws_cloudformation_stack.cudos_read_permissions, - aws_s3_object.cloudformation_templates, - module.collector, - module.dashboards, - module.source, - ] - - provider = aws.cost_analysis + lifecycle { + ignore_changes = [ + capabilities, + ] + } } + diff --git a/modules/destination/outputs.tf b/modules/destination/outputs.tf new file mode 100644 index 0000000..355a770 --- /dev/null +++ b/modules/destination/outputs.tf @@ -0,0 +1,20 @@ + +output "cloudformation_bucket_arn" { + description = "The name of the bucket where to store the CloudFormation" + value = module.cloudformation.s3_bucket_arn +} + +output "destination_bucket_arn" { + description = "The name of the bucket where to replicate the data from the CUR" + value = module.collector.cur_bucket_arn +} + +output "destination_bucket_name" { + description = "The name of the bucket where to replicate the data from the CUR" + value = module.collector.cur_bucket_name +} + +output "dashboard_bucket_arn" { + description = "The name of the bucket where to store the dashboards" + value = module.dashboard_bucket.s3_bucket_arn +} diff --git a/quicksights.tf b/modules/destination/quicksights.tf similarity index 92% rename from quicksights.tf rename to modules/destination/quicksights.tf index 4db3077..7b9ef22 100644 --- a/quicksights.tf +++ b/modules/destination/quicksights.tf @@ -6,8 +6,6 @@ resource "aws_quicksight_group" "groups" { description = each.value.description group_name = each.key namespace = each.value.namespace - - provider = aws.cost_analysis } ## Provision any users within QuickSight @@ -25,8 +23,6 @@ resource "aws_quicksight_user" "users" { lifecycle { ignore_changes = [user_name] } - - provider = aws.cost_analysis } ## Provision any group memberships within QuickSight @@ -37,6 +33,4 @@ resource "aws_quicksight_group_membership" "members" { member_name = format("%s/%s", aws_iam_role.cudos_sso[0].name, each.value.user) depends_on = [aws_quicksight_user.users] - - provider = aws.cost_analysis } diff --git a/terraform.tf b/modules/destination/terraform.tf similarity index 60% rename from terraform.tf rename to modules/destination/terraform.tf index 4586017..ac73a40 100644 --- a/terraform.tf +++ b/modules/destination/terraform.tf @@ -6,10 +6,7 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" configuration_aliases = [ - aws.cost_analysis, - aws.cost_analysis_us_east_1, - aws.management, - aws.management_us_east_1, + aws.us_east_1, ] } } diff --git a/variables.tf b/modules/destination/variables.tf similarity index 91% rename from variables.tf rename to modules/destination/variables.tf index 1d558fe..83c6c1d 100644 --- a/variables.tf +++ b/modules/destination/variables.tf @@ -4,7 +4,12 @@ variable "tags" { type = map(string) } -variable "additional_payer_accounts" { +variable "cloudformation_bucket_name" { + description = "The name of the bucket to store the CloudFormation" + type = string +} + +variable "payer_accounts" { description = "List of additional payer accounts to be included in the collectors module" type = list(string) default = [] @@ -40,37 +45,19 @@ variable "quicksight_subscription_account_name" { default = null } -variable "stacks_bucket_name" { - description = "The name of the bucket to store the CloudFormation templates" - type = string - default = "cid-cloudformation-templates" -} - variable "stack_name_cloud_intelligence" { description = "The name of the CloudFormation stack to create the dashboards" type = string default = "CI-Cloud-Intelligence-Dashboards" } -variable "stack_name_read_permissions" { - description = "The name of the CloudFormation stack to create the collectors" - type = string - default = "CidDataCollectionReadPermissionsStack" -} - variable "stack_name_collectors" { description = "The name of the CloudFormation stack to create the collectors" type = string default = "CidDataCollectionStack" } -variable "stack_name_cora_data_exports_source" { - description = "The name of the CloudFormation stack to create the CORA Data Exports" - type = string - default = "CidCoraCoraDataExportsSourceStack" -} - -variable "stack_name_cora_data_exports_destination" { +variable "stack_name_cora_data_exports" { description = "The name of the CloudFormation stack to create the CORA Data Exports" type = string default = "CidCoraCoraDataExportsDestinationStack" diff --git a/modules/source/.terraform.lock.hcl b/modules/source/.terraform.lock.hcl new file mode 100644 index 0000000..78d0674 --- /dev/null +++ b/modules/source/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 3.0.0, ~> 5.0, >= 5.27.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} diff --git a/modules/source/README.md b/modules/source/README.md new file mode 100644 index 0000000..d27eee3 --- /dev/null +++ b/modules/source/README.md @@ -0,0 +1,40 @@ + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.0 | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [destination\_account\_id](#input\_destination\_account\_id) | The AWS account ID for the destination account | `string` | n/a | yes | +| [destination\_bucket\_arn](#input\_destination\_bucket\_arn) | The ARN of the bucket where to replicate the data from the CUR | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes | +| [enable\_backup\_module](#input\_enable\_backup\_module) | Indicates if the Backup module should be enabled | `bool` | `true` | no | +| [enable\_budgets\_module](#input\_enable\_budgets\_module) | Indicates if the Budget module should be enabled | `bool` | `true` | no | +| [enable\_compute\_optimizer\_module](#input\_enable\_compute\_optimizer\_module) | Indicates if the Compute Optimizer module should be enabled | `bool` | `true` | no | +| [enable\_cora\_data\_exports](#input\_enable\_cora\_data\_exports) | Indicates if the CORA Data Exports module should be enabled | `bool` | `false` | no | +| [enable\_cost\_anomaly\_module](#input\_enable\_cost\_anomaly\_module) | Indicates if the Cost Anomaly module should be enabled | `bool` | `true` | no | +| [enable\_ecs\_chargeback\_module](#input\_enable\_ecs\_chargeback\_module) | Indicates if the ECS Chargeback module should be enabled | `bool` | `false` | no | +| [enable\_health\_events\_module](#input\_enable\_health\_events\_module) | Indicates if the Health Events module should be enabled | `bool` | `true` | no | +| [enable\_inventory\_module](#input\_enable\_inventory\_module) | Indicates if the Inventory module should be enabled | `bool` | `true` | no | +| [enable\_rds\_utilization\_module](#input\_enable\_rds\_utilization\_module) | Indicates if the RDS Utilization module should be enabled | `bool` | `true` | no | +| [enable\_rightsizing\_module](#input\_enable\_rightsizing\_module) | Indicates if the Rightsizing module should be enabled | `bool` | `true` | no | +| [enable\_scad](#input\_enable\_scad) | Indicates if the SCAD module should be enabled, only available when Cora enabled | `bool` | `false` | no | +| [enable\_tao\_module](#input\_enable\_tao\_module) | Indicates if the TAO module should be enabled | `bool` | `true` | no | +| [enable\_transit\_gateway\_module](#input\_enable\_transit\_gateway\_module) | Indicates if the Transit Gateway module should be enabled | `bool` | `true` | no | +| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | List of organization units where the read permissions stack will be deployed | `list(string)` | `[]` | no | +| [stack\_name\_cora\_data\_exports\_source](#input\_stack\_name\_cora\_data\_exports\_source) | The name of the CloudFormation stack to create the CORA Data Exports | `string` | `"CidCoraCoraDataExportsSourceStack"` | no | +| [stack\_name\_read\_permissions](#input\_stack\_name\_read\_permissions) | The name of the CloudFormation stack to create the collectors | `string` | `"CidDataCollectionReadPermissionsStack"` | no | +| [stacks\_bucket\_name](#input\_stacks\_bucket\_name) | The name of the bucket to store the CloudFormation templates | `string` | `"cid-cloudformation-templates"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cloudformation\_bucket\_name](#output\_cloudformation\_bucket\_name) | The name of the bucket to store the CloudFormation templates | +| [cloudformation\_bucket\_url](#output\_cloudformation\_bucket\_url) | The URL of the bucket to store the CloudFormation templates | +| [management\_account\_id](#output\_management\_account\_id) | The AWS account ID for the management account | + \ No newline at end of file diff --git a/modules/source/assets/cloudformation/cudos/data-exports-aggregation.yaml b/modules/source/assets/cloudformation/cudos/data-exports-aggregation.yaml new file mode 120000 index 0000000..e94b02f --- /dev/null +++ b/modules/source/assets/cloudformation/cudos/data-exports-aggregation.yaml @@ -0,0 +1 @@ +../../../../../assets/cloudformation/cudos/data-exports-aggregation.yaml \ No newline at end of file diff --git a/assets/cloudformation/cudos/deploy-data-read-permissions.yaml b/modules/source/assets/cloudformation/cudos/deploy-data-read-permissions.yaml similarity index 100% rename from assets/cloudformation/cudos/deploy-data-read-permissions.yaml rename to modules/source/assets/cloudformation/cudos/deploy-data-read-permissions.yaml diff --git a/modules/source/data.tf b/modules/source/data.tf new file mode 100644 index 0000000..f4244e9 --- /dev/null +++ b/modules/source/data.tf @@ -0,0 +1,6 @@ + +## Find the account id for the management account +data "aws_caller_identity" "current" {} + +## Find the current region +data "aws_region" "current" {} diff --git a/modules/source/locals.tf b/modules/source/locals.tf new file mode 100644 index 0000000..ed3eebe --- /dev/null +++ b/modules/source/locals.tf @@ -0,0 +1,12 @@ + +locals { + ## The region where the stack is being deployed + region = data.aws_region.current.name + ## Is the management account id + management_account_id = data.aws_caller_identity.current.account_id + ## The s3 bucket name for the cloudformation scripts + stacks_base_url = format("https://%s.s3.%s.amazonaws.com", var.stacks_bucket_name, local.region) + ## The account id where the dashboard is being deployed + destination_account_id = var.destination_account_id +} + diff --git a/modules/source/main.tf b/modules/source/main.tf new file mode 100644 index 0000000..43f51fe --- /dev/null +++ b/modules/source/main.tf @@ -0,0 +1,151 @@ + +## Craft and IAM policy that allows the account to access the bucket +data "aws_iam_policy_document" "stack_bucket_policy" { + statement { + effect = "Allow" + actions = [ + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject", + ] + principals { + type = "AWS" + identifiers = [local.management_account_id] + } + resources = [ + format("arn:aws:s3:::%s", var.stacks_bucket_name), + format("arn:aws:s3:::%s/*", var.stacks_bucket_name), + ] + } + + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + principals { + type = "AWS" + identifiers = [local.management_account_id] + } + resources = [ + format("arn:aws:s3:::%s", var.stacks_bucket_name), + format("arn:aws:s3:::%s/*", var.stacks_bucket_name), + ] + } +} + +## Provision a bucket used to contain the cloudformation templates +# tfsec:ignore:aws-s3-enable-bucket-logging +module "cloudformation_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + attach_policy = true + block_public_acls = true + block_public_policy = true + bucket = var.stacks_bucket_name + expected_bucket_owner = local.management_account_id + force_destroy = true + ignore_public_acls = true + object_ownership = "BucketOwnerPreferred" + policy = data.aws_iam_policy_document.stack_bucket_policy.json + restrict_public_buckets = true + tags = var.tags + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + + versioning = { + enabled = true + } +} + +## Upload the cloudformation templates to the bucket +resource "aws_s3_object" "cloudformation_templates" { + for_each = fileset("${path.module}/assets/cloudformation/", "**/*.yaml") + + bucket = module.cloudformation_bucket.s3_bucket_id + etag = filemd5("${path.module}/assets/cloudformation/${each.value}") + key = each.value + server_side_encryption = "AES256" + source = "${path.module}/assets/cloudformation/${each.value}" +} + +## Setup the replication from the management account to the collector account +## to receive the CUR data +# tfsec:ignore:aws-s3-enable-bucket-logging +# tfsec:ignore:aws-iam-no-policy-wildcards +module "source" { + source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cur-setup-source?ref=0.3.13" + + # The destination bucket to repliaction the CUR data to + destination_bucket_arn = var.destination_bucket_arn + + providers = { + aws.useast1 = aws.us_east_1 + } +} + +## Provision the stack contain the cora data exports in the management account +## Deployment of same stack the management account +resource "aws_cloudformation_stack" "core_data_export_management" { + count = var.enable_cora_data_exports ? 1 : 0 + + capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] + name = var.stack_name_cora_data_exports_source + on_failure = "ROLLBACK" + tags = var.tags + template_url = format("%s/cudos/%s", local.stacks_base_url, "data-exports-aggregation.yaml") + + parameters = { + "DestinationAccountId" = local.destination_account_id, + "EnableSCAD" = var.enable_scad ? "yes" : "no", + "ManageCOH" = "yes", + "ManageCUR2" = "no", + "SourceAccountIds" = local.management_account_id, + } + + lifecycle { + ignore_changes = [ + capabilities, + ] + } +} + +## We need to provision the read permissions stack within the management account, note +## this effectively creates a stackset which is deployed to all accounts within the +## organization +resource "aws_cloudformation_stack" "cudos_read_permissions" { + name = var.stack_name_read_permissions + capabilities = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"] + template_url = format("%s/cudos/%s", local.stacks_base_url, "deploy-data-read-permissions.yaml") + + parameters = { + "AllowModuleReadInMgmt" = "yes", + "DataCollectionAccountID" = local.destination_account_id, + "IncludeBackupModule" = var.enable_backup_module ? "yes" : "no", + "IncludeBudgetsModule" = var.enable_budgets_module ? "yes" : "no", + "IncludeComputeOptimizerModule" = var.enable_compute_optimizer_module ? "yes" : "no", + "IncludeCostAnomalyModule" = var.enable_cost_anomaly_module ? "yes" : "no", + "IncludeECSChargebackModule" = var.enable_ecs_chargeback_module ? "yes" : "no", + "IncludeHealthEventsModule" = var.enable_health_events_module ? "yes" : "no" + "IncludeInventoryCollectorModule" = var.enable_inventory_module ? "yes" : "no", + "IncludeRDSUtilizationModule" = var.enable_rds_utilization_module ? "yes" : "no", + "IncludeRightsizingModule" = var.enable_rightsizing_module ? "yes" : "no", + "IncludeTAModule" = var.enable_tao_module ? "yes" : "no", + "IncludeTransitGatewayModule" = var.enable_transit_gateway_module ? "yes" : "no", + "OrganizationalUnitIds" = join(",", var.organizational_unit_ids) + } + + depends_on = [ + aws_s3_object.cloudformation_templates, + module.source, + ] +} diff --git a/modules/source/outputs.tf b/modules/source/outputs.tf new file mode 100644 index 0000000..e69f5ec --- /dev/null +++ b/modules/source/outputs.tf @@ -0,0 +1,17 @@ + +output "management_account_id" { + description = "The AWS account ID for the management account" + value = local.management_account_id +} + +output "cloudformation_bucket_name" { + description = "The name of the bucket to store the CloudFormation templates" + value = var.stacks_bucket_name +} + +output "cloudformation_bucket_url" { + description = "The URL of the bucket to store the CloudFormation templates" + value = format("https://%s.s3.%s.amazonaws.com", var.stacks_bucket_name, local.region) +} + + diff --git a/modules/source/terraform.tf b/modules/source/terraform.tf new file mode 100644 index 0000000..ac73a40 --- /dev/null +++ b/modules/source/terraform.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + configuration_aliases = [ + aws.us_east_1, + ] + } + } +} diff --git a/modules/source/variables.tf b/modules/source/variables.tf new file mode 100644 index 0000000..975ad58 --- /dev/null +++ b/modules/source/variables.tf @@ -0,0 +1,117 @@ + +variable "tags" { + description = "Tags to apply to all resources" + type = map(string) +} + +variable "destination_account_id" { + description = "The AWS account ID for the destination account" + type = string +} + +variable "destination_bucket_arn" { + description = "The ARN of the bucket where to replicate the data from the CUR" + type = string +} + +variable "stacks_bucket_name" { + description = "The name of the bucket to store the CloudFormation templates" + type = string + default = "cid-cloudformation-templates" +} + +variable "stack_name_read_permissions" { + description = "The name of the CloudFormation stack to create the collectors" + type = string + default = "CidDataCollectionReadPermissionsStack" +} + +variable "stack_name_cora_data_exports_source" { + description = "The name of the CloudFormation stack to create the CORA Data Exports" + type = string + default = "CidCoraCoraDataExportsSourceStack" +} + +variable "enable_cost_anomaly_module" { + description = "Indicates if the Cost Anomaly module should be enabled" + type = bool + default = true +} + +variable "enable_scad" { + description = "Indicates if the SCAD module should be enabled, only available when Cora enabled" + type = bool + default = false +} + +variable "enable_health_events_module" { + description = "Indicates if the Health Events module should be enabled" + type = bool + default = true +} + +variable "enable_backup_module" { + description = "Indicates if the Backup module should be enabled" + type = bool + default = true +} + +variable "enable_budgets_module" { + description = "Indicates if the Budget module should be enabled" + type = bool + default = true +} + +variable "enable_ecs_chargeback_module" { + description = "Indicates if the ECS Chargeback module should be enabled" + type = bool + default = false +} + +variable "enable_compute_optimizer_module" { + description = "Indicates if the Compute Optimizer module should be enabled" + type = bool + default = true +} + +variable "enable_tao_module" { + description = "Indicates if the TAO module should be enabled" + type = bool + default = true +} + +variable "enable_transit_gateway_module" { + description = "Indicates if the Transit Gateway module should be enabled" + type = bool + default = true +} + +variable "enable_inventory_module" { + description = "Indicates if the Inventory module should be enabled" + type = bool + default = true +} + +variable "enable_rds_utilization_module" { + description = "Indicates if the RDS Utilization module should be enabled" + type = bool + default = true +} + +variable "enable_cora_data_exports" { + description = "Indicates if the CORA Data Exports module should be enabled" + type = bool + default = false +} + +variable "enable_rightsizing_module" { + description = "Indicates if the Rightsizing module should be enabled" + type = bool + default = true +} + +variable "organizational_unit_ids" { + description = "List of organization units where the read permissions stack will be deployed" + type = list(string) + default = [] +} diff --git a/outputs.tf b/outputs.tf deleted file mode 100644 index 76c1851..0000000 --- a/outputs.tf +++ /dev/null @@ -1,50 +0,0 @@ - -output "destination_bucket_name" { - description = "The name of the destination bucket" - value = module.collector.cur_bucket_name -} - -output "destination_bucket_arn" { - description = "The ARN of the destination bucket" - value = module.collector.cur_bucket_arn -} - -output "destination_bucket_short_url" { - description = "The domain name of the destination bucket" - value = format("s3://%s", module.cloudformation_bucket.s3_bucket_id) -} - -output "destination_bucket_website_url" { - description = "The URL for the destination bucket" - value = format("https://%s.amazonaws.com", module.cloudformation_bucket.s3_bucket_id) -} - -output "destination_account_id" { - description = "The account ID of the destination bucket" - value = local.cost_analysis_account_id -} - -output "source_account_id" { - description = "The account ID of the source account i.e. the management account" - value = local.management_account_id -} - -output "cloudformation_bucket_name" { - description = "The name of the bucket to store the CloudFormation templates" - value = var.stacks_bucket_name -} - -output "cloudformation_bucket_arn" { - description = "The ARN of the bucket to store the CloudFormation templates" - value = format("arn:aws:s3:::%s", var.stacks_bucket_name) -} - -output "cloudformation_bucket_short_url" { - description = "The domain name of the bucket to store the CloudFormation templates" - value = format("s3://%s", var.stacks_bucket_name) -} - -output "cloudformation_bucket_website_url" { - description = "The URL for the bucket to store the CloudFormation templates" - value = format("https://%s.amazonaws.com", var.stacks_bucket_name) -}
identity_type = optional(string, "IAM")
namespace = optional(string, "default")
role = optional(string, "READER")
}))