Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding
A deployable architecture which will fully onboard a standard or enterprise IBM Cloud account to IBM Cloudability.
https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding
deployable-architecture ibm-cloud terraform terraform-module
Last synced: 3 days ago
JSON representation
A deployable architecture which will fully onboard a standard or enterprise IBM Cloud account to IBM Cloudability.
- Host: GitHub
- URL: https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding
- Owner: terraform-ibm-modules
- License: apache-2.0
- Created: 2024-08-30T16:05:01.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2024-09-25T13:25:49.000Z (7 days ago)
- Last Synced: 2024-09-26T00:39:38.166Z (6 days ago)
- Topics: deployable-architecture, ibm-cloud, terraform, terraform-module
- Language: HCL
- Size: 326 KB
- Stars: 0
- Watchers: 14
- Forks: 0
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# IBM Cloudability onboarding Deployable Architecture (DA)
[-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
[](https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding/releases/latest)
[](https://github.com/pre-commit/pre-commit)
[](https://renovatebot.com/)
[](https://github.com/semantic-release/semantic-release)
This Deployable Architecture will fully onboard a standard IBM Cloud account or an entire IBM Cloud enterprise to IBM Cloudability. The DA performs the following actions:
- Creates an encrypted COS bucket to store billing reports
- Enables daily Billing Report exports to the COS Bucket
- Grants Cloudability access to read the billing reports from the bucket for ingestion
- *If the account is an enterprise*: Grants cloudability access to read the list of child accounts in the enterprise
- Cloudability access is controlled in a custom role so only the minimum access is given.
- Adds the IBM Cloud account/enterprise to IBM Cloudability
:exclamation: **Important:** This Deployable Architecture solutions is not intended to be called by other modules because it contains a provider configuration and is therefor not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)
## Overview
* [terraform-ibm-cloudability-onboarding](#terraform-ibm-cloudability-onboarding)
* [Submodules](./modules)
* [billing-exports](./modules/billing-exports)
* [cloudability-bucket-access](./modules/cloudability-bucket-access)
* [cloudability-enterprise-access](./modules/cloudability-enterprise-access)
* [cloudability-onboarding](./modules/cloudability-onboarding)
* [data-resource-instance-by-id](./modules/data-resource-instance-by-id)
* [encrypted_cos_bucket](./modules/encrypted_cos_bucket)
* [Contributing](#contributing)
## Reference architectures
## terraform-ibm-cloudability-onboarding
### Required IAM access policies
You need the following permissions to run this module:
- IAM services
- **Cloud Object Storage** service
- `Administrator` platform access
- `Manager`, `ObjectReader` service access
- **Key Protect** service
- `Editor` platform access
- `Manager` service access
- Account management services
- **Billing** service
- `Administrator` platform access
- **Enterprise** service (only for enterprise accounts)
- `Viewer` platform access
- **IAM Access Management** service (only for enterprise accounts)
- `Administrator` platform access
### Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >=1.3.0 |
| [cloudability](#requirement\_cloudability) | 0.0.36 |
| [ibm](#requirement\_ibm) | 1.69.2 |
| [restapi](#requirement\_restapi) | 1.20.0 |
### Modules
| Name | Source | Version |
|------|--------|---------|
| [billing\_exports](#module\_billing\_exports) | ./modules/billing-exports | n/a |
| [cloudability\_bucket\_access](#module\_cloudability\_bucket\_access) | ./modules/cloudability-bucket-access | n/a |
| [cloudability\_enterprise\_access](#module\_cloudability\_enterprise\_access) | ./modules/cloudability-enterprise-access | n/a |
| [cloudability\_onboarding](#module\_cloudability\_onboarding) | ./modules/cloudability-onboarding | n/a |
| [cos\_bucket](#module\_cos\_bucket) | ./modules/encrypted_cos_bucket | n/a |
| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
### Resources
| Name | Type |
|------|------|
| [ibm_enterprises.enterprises](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.69.2/docs/data-sources/enterprises) | data source |
| [ibm_iam_account_settings.billing_exports_account](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.69.2/docs/data-sources/iam_account_settings) | data source |
| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.69.2/docs/data-sources/iam_auth_token) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [access\_tags](#input\_access\_tags) | A list of access tags to apply to the cos instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | `list(string)` | `[]` | no |
| [activity\_tracker\_crn](#input\_activity\_tracker\_crn) | Activity tracker crn for COS bucket (Optional) | `string` | `null` | no |
| [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add random generated suffix (4 characters long) to the newly provisioned COS bucket name (Optional). | `bool` | `true` | no |
| [archive\_days](#input\_archive\_days) | Specifies the number of days when the archive rule action takes effect. Only used if 'create\_cos\_bucket' is true. This must be set to null when when using var.cross\_region\_location as archive data is not supported with this feature. | `number` | `null` | no |
| [archive\_type](#input\_archive\_type) | Specifies the storage class or archive type to which you want the object to transition. Only used if 'create\_cos\_bucket' is true. | `string` | `"Glacier"` | no |
| [bucket\_cbr\_rules](#input\_bucket\_cbr\_rules) | (Optional, list) List of CBR rules to create for the bucket |
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [bucket\_name](#input\_bucket\_name) | The name to give the newly provisioned COS bucket. Only required if 'create\_cos\_bucket' is true. | `string` | `"apptio-cldy-billing-snapshots"` | no |
| [bucket\_storage\_class](#input\_bucket\_storage\_class) | the storage class of the newly provisioned COS bucket. Only required if 'create\_cos\_bucket' is true. Supported values are 'standard', 'vault', 'cold', 'smart' and `onerate_active`. | `string` | `"standard"` | no |
| [cloudability\_api\_key](#input\_cloudability\_api\_key) | Cloudability API Key. Retrieve your Api Key from https://app.apptio.com/cloudability#/settings/preferences under the section **Cloudability API** select **Enable API** which will generate an api key. Setting this value to __NULL__ will skip adding the IBM Cloud account to Cloudability and only configure IBM Cloud so that the IBM Cloud Account can be added to Cloudability manually | `string` | `null` | no |
| [cloudability\_custom\_role\_name](#input\_cloudability\_custom\_role\_name) | name of the custom role created access granted to cloudability service id to read from the billing reports cos bucket | `string` | `"CloudabilityStorageCustomRole"` | no |
| [cloudability\_enterprise\_custom\_role\_name](#input\_cloudability\_enterprise\_custom\_role\_name) | name of the custom role to granting access to a cloudability service id to read the enterprise information. Only used of var.is\_enterprise\_account is set. | `string` | `"CloudabilityListAccCustomRole"` | no |
| [cloudability\_host](#input\_cloudability\_host) | IBM Cloudability host name as described in https://help.apptio.com/en-us/cloudability/api/v3/getting_started_with_the_cloudability.htm#authentication | `string` | `"api.cloudability.com"` | no |
| [cos\_folder](#input\_cos\_folder) | Folder in the COS bucket to store the account data | `string` | `"IBMCloud-Billing-Reports"` | no |
| [cos\_instance\_name](#input\_cos\_instance\_name) | The name to give the cloud object storage instance that will be provisioned by this module. Only required if 'create\_cos\_instance' is true. | `string` | `"ibm-cloudability"` | no |
| [cos\_plan](#input\_cos\_plan) | Plan to be used for creating cloud object storage instance. Only used if 'create\_cos\_instance' it true. | `string` | `"standard"` | no |
| [create\_cos\_instance](#input\_create\_cos\_instance) | Set as true to create a new Cloud Object Storage instance. | `bool` | `true` | no |
| [create\_key\_protect\_instance](#input\_create\_key\_protect\_instance) | Key Protect instance name | `bool` | `true` | no |
| [cross\_region\_location](#input\_cross\_region\_location) | Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region to null. | `string` | `null` | no |
| [enable\_billing\_exports](#input\_enable\_billing\_exports) | Whether billing exports should be enabled | `bool` | `true` | no |
| [enable\_cloudability\_access](#input\_enable\_cloudability\_access) | Whether to grant cloudability access to read the billing reports | `bool` | `true` | no |
| [enterprise\_id](#input\_enterprise\_id) | Id of the enterprise. Can be automatically retrieved if `is_enterprise_account` is true | `string` | `null` | no |
| [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing cloud object storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Key Protect or Hyper Protect instance in which the key specified in var.kms\_key\_crn is coming from. Required if var.skip\_iam\_authorization\_policy is false in order to create an IAM Access Policy to allow Key Protect or Hyper Protect to access the newly created COS instance. | `string` | `null` | no |
| [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. Only used if 'create\_cos\_bucket' is true. | `number` | `null` | no |
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key which will enable billing exports | `string` | n/a | yes |
| [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rules to create for the instance | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [is\_enterprise\_account](#input\_is\_enterprise\_account) | Whether billing exports are enabled for the enterprise account | `bool` | `false` | no |
| [key\_name](#input\_key\_name) | Name of the cos bucket encryption key | `string` | `null` | no |
| [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | Key Protect instance name | `string` | `"cloudability-bucket-encryption"` | no |
| [key\_ring\_name](#input\_key\_ring\_name) | Name of the key ring to group keys | `string` | `"bucket-encryption"` | no |
| [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct) | `string` | `"public"` | no |
| [object\_versioning\_enabled](#input\_object\_versioning\_enabled) | Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
| [policy\_granularity](#input\_policy\_granularity) | Whether access to the cos bucket is controlled at the bucket (resource), cos instance (serviceInstance), or resource-group (resourceGroup). | `string` | `"resource"` | no |
| [region](#input\_region) | Region where resources will be created | `string` | `"us-south"` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | The name of an existing resource group to provision resources in to. | `string` | `"Default"` | no |
| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no |
| [retention\_default](#input\_retention\_default) | Specifies default duration of time an object that can be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `90` | no |
| [retention\_enabled](#input\_retention\_enabled) | Retention enabled for COS bucket. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
| [retention\_maximum](#input\_retention\_maximum) | Specifies maximum duration of time an object that can be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `365` | no |
| [retention\_minimum](#input\_retention\_minimum) | Specifies minimum duration of time an object must be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `1` | no |
| [retention\_permanent](#input\_retention\_permanent) | Specifies a permanent retention status either enable or disable for COS bucket. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in `existing_kms_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created | `bool` | `false` | no |
| [skip\_verification](#input\_skip\_verification) | whether to verify the account after adding the account to cloudability. Requires cloudability\_auth\_header to be set. | `bool` | `false` | no |
| [sysdig\_crn](#input\_sysdig\_crn) | Cloud Monitoring crn for COS bucket (Optional) | `string` | `null` | no |
| [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether the value of `resource_group_name` input should be a new of existing resource\_group | `bool` | `true` | no |
### Outputs
| Name | Description |
|------|-------------|
| [bucket\_account\_cloudability\_custom\_role\_display\_name](#output\_bucket\_account\_cloudability\_custom\_role\_display\_name) | Display name of the custom role that grants cloudability access to read the billing reports from the cos bucket |
| [bucket\_cbr\_rules](#output\_bucket\_cbr\_rules) | COS bucket rules |
| [bucket\_crn](#output\_bucket\_crn) | Bucket CRN |
| [bucket\_id](#output\_bucket\_id) | Bucket id |
| [bucket\_name](#output\_bucket\_name) | Bucket name |
| [bucket\_storage\_class](#output\_bucket\_storage\_class) | Bucket Storage Class |
| [cbr\_rule\_ids](#output\_cbr\_rule\_ids) | List of all rule ids |
| [cos\_instance\_guid](#output\_cos\_instance\_guid) | The GUID of the Cloud Object Storage Instance where the buckets are created |
| [cos\_instance\_id](#output\_cos\_instance\_id) | The ID of the Cloud Object Storage Instance where the buckets are created |
| [enterprise\_account\_id](#output\_enterprise\_account\_id) | primary account id of the enterprise if `is_enterprise_account` is enabled |
| [enterprise\_cloudability\_custom\_role\_display\_name](#output\_enterprise\_cloudability\_custom\_role\_display\_name) | Display name of the custom role that grants cloudability access to read the enterprise accounts |
| [enterprise\_id](#output\_enterprise\_id) | id of the enterprise if `is_enterprise_account` is enabled |
| [instance\_cbr\_rules](#output\_instance\_cbr\_rules) | COS instance rules |
| [key\_protect\_guid](#output\_key\_protect\_guid) | Key Protect GUID |
| [key\_protect\_id](#output\_key\_protect\_id) | Key Protect service instance ID when an instance is created, otherwise null |
| [key\_protect\_instance\_policies](#output\_key\_protect\_instance\_policies) | Instance Polices of the Key Protect instance |
| [key\_protect\_name](#output\_key\_protect\_name) | Key Protect Name |
| [key\_rings](#output\_key\_rings) | IDs of new Key Rings created by the module |
| [keys](#output\_keys) | IDs of new Keys created by the module |
| [kms\_key\_crn](#output\_kms\_key\_crn) | The CRN of the KMS key used to encrypt the COS bucket |
| [resource\_group\_id](#output\_resource\_group\_id) | Resource Group ID |
| [s3\_endpoint\_public](#output\_s3\_endpoint\_public) | S3 public endpoint |
## Contributing
You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).
To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.