Merge remote-tracking branch 'origin/main'

Alexander Wiechert · Alexander Wiechert · commit 37b0914d0593 · 2025-05-12T10:36:57.000+02:00
# Conflicts:
#	README.md
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -1,4 +1,3 @@
-
 name: Terraform CI
 
 on:
@@ -11,59 +10,73 @@ on:
 
 jobs:
   terraform:
-    name: Terraform Validate, Format, Plan, Security
+    name: Terraform and OpenTofu Validate, Format, Plan, Security
     runs-on: ubuntu-latest
 
+    strategy:
+      matrix:
+        cli: [terraform, opentofu]
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
       - name: Set up Terraform
+        if: matrix.cli == 'terraform'
         uses: hashicorp/setup-terraform@v2
 
-      - name: Terraform Format Check
-        run: terraform fmt -check -recursive
+      - name: Set up OpenTofu
+        if: matrix.cli == 'opentofu'
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: latest
+
+      - name: Format Check
+        run: ${{ matrix.cli }} fmt -check -recursive
 
-      - name: Terraform Init & Validate (root)
+      - name: Init & Validate (root)
         run: |
-          terraform init
-          terraform validate
+          ${{ matrix.cli }} init
+          ${{ matrix.cli }} validate
 
-      - name: Terraform Init & Validate (iam-user example)
+      - name: Init & Validate (iam-user example)
         working-directory: examples/iam-user
         run: |
-          terraform init
-          terraform validate
+          ${{ matrix.cli }} init
+          ${{ matrix.cli }} validate
 
-      - name: Terraform Plan (iam-user example)
+      - name: Plan (iam-user example)
         working-directory: examples/iam-user
-        run: terraform plan -no-color
+        run: ${{ matrix.cli }} plan -no-color
 
-      - name: Terraform Init & Validate (cross-account-role example)
+      - name: Init & Validate (cross-account-role example)
         working-directory: examples/cross-account-role
         run: |
-          terraform init
-          terraform validate
+          ${{ matrix.cli }} init
+          ${{ matrix.cli }} validate
 
-      - name: Terraform Plan (cross-account-role example)
+      - name: Plan (cross-account-role example)
         working-directory: examples/cross-account-role
-        run: terraform plan -no-color
+        run: ${{ matrix.cli }} plan -no-color
 
       - name: Run Checkov (root)
+        if: matrix.cli == 'terraform'
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
           quiet: true
           soft_fail: true
 
       - name: Run Checkov (iam-user example)
+        if: matrix.cli == 'terraform'
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: examples/iam-user
           quiet: true
           soft_fail: true
 
       - name: Run Checkov (cross-account-role example)
+        if: matrix.cli == 'terraform'
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: examples/cross-account-role
diff --git a/README.md b/README.md
@@ -0,0 +1,119 @@
+[![Terraform CI](https://github.com/elastic2ls-com/terraform-aws-finops-costreview-access/actions/workflows/terraform.yml/badge.svg)](https://github.com/elastic2ls-com/terraform-aws-finops-costreview-access/actions)
+![License](https://img.shields.io/badge/license-MIT-brightgreen?logo=mit)
+![Status](https://img.shields.io/badge/status-active-brightgreen.svg?logo=git)
+[![Sponsor](https://img.shields.io/badge/sponsors-AlexanderWiechert-blue.svg?logo=github-sponsors)](https://github.com/sponsors/AlexanderWiechert/)
+[![Contact](https://img.shields.io/badge/website-elastic2ls.com-blue.svg?logo=google-chrome)](https://www.elastic2ls.com/)
+[![Terraform Registry](https://img.shields.io/badge/download-blue.svg?logo=terraform&style=social)](https://registry.terraform.io/modules/elastic2ls-com/finops-costreview-access/aws/latest)
+![OpenTofu Compatible](https://img.shields.io/badge/OpenTofu-Compatible-4E9A06?logo=opentofu)
+
+# terraform-aws-finops-costreview-access
+
+Terraform module to create an IAM user or cross-account IAM role for external FinOps cost reviews in an AWS account.
+
+This module is compatible with both Terraform (>=1.3) and OpenTofu (>=1.3).
+
+---
+
+## Features
+
+- Create **IAM user** with read-only access for Billing, Cost Explorer, CloudWatch.
+- Create **cross-account IAM role** with trust policy for a service provider.
+- Optional: attach `AWSOrganizationsReadOnlyAccess` policy.
+- Flexible naming of user and role, with defaults.
+- Includes examples and CI workflow with security checks.
+
+---
+
+## Usage
+
+### IAM User (default mode)
+
+```hcl
+module "finops_access" {
+  source      = "github.com/elastic2ls-com/terraform-aws-finops-costreview-access"
+  mode        = "iam-user"
+  account_id  = "123456789012"
+  user_name   = "finops-review-user"
+  role_name   = "finops-review-role"
+}
+```
+
+### Cross-Account Role
+
+```hcl
+module "finops_access" {
+  source                      = "github.com/elastic2ls-com/terraform-aws-finops-costreview-access"
+  mode                        = "cross-account-role"
+  service_provider_account_id = "123456789012"
+  service_provider_role_name  = "finops-review-role"
+  external_id                 = "your-secure-external-id"     # Optional
+  role_name                   = "custom-finops-role"    # Optional, default: 'FinOpsCostReviewRole'
+  user_name                   = "custom-finops-user"    # Optional, default: 'finops-review-user' (ignored in this mode)
+  attach_organizations_policy = true
+}
+```
+
+## Security Best Practices
+
+- Use `service_provider_role_name` to limit access to a specific role.
+- Set `external_id` to prevent the confused-deputy problem.
+- Avoid using account root (`arn:aws:iam::<account_id>:root`) as principal.
+
+---
+
+## Examples
+
+- [IAM User Example](./examples/iam-user/main.tf)
+- [Cross-Account Role Example](./examples/cross-account-role/main.tf)
+
+---
+
+## Variables
+
+| Name                        | Description                                                         | Type    | Default                  |
+|-----------------------------|---------------------------------------------------------------------|---------|--------------------------|
+| `mode`                     | Access mode: `'iam-user'` or `'cross-account-role'`                | string  | `"iam-user"`           |
+| `user_name`                | IAM user name (for `iam-user` mode). Defaults to `'finops-review-user'`. | string  | `"finops-review-user"` |
+| `service_provider_account_id` | AWS account ID of the service provider (for role mode)           | string  | `""`                  |
+| `role_name`                | IAM role name (for `cross-account-role` mode). Defaults to `'FinOpsCostReviewRole'`. | string  | `"FinOpsCostReviewRole"` |
+| `attach_organizations_policy` | Whether to attach `AWSOrganizationsReadOnlyAccess` policy        | bool    | `false`               |
+
+---
+
+## Outputs
+
+| Name       | Description                      |
+|------------|----------------------------------|
+| `user_name` | IAM user name (if created)      |
+| `user_arn`  | IAM user ARN (if created)       |
+| `role_name` | IAM role name (if created)      |
+| `role_arn`  | IAM role ARN (if created)       |
+
+---
+
+## Requirements
+
+- Terraform ≥ 1.3
+- AWS Provider ≥ 5.0
+
+---
+
+## CI/CD
+
+This module uses GitHub Actions to run:
+- `terraform fmt`
+- `terraform validate`
+- `terraform plan` on examples
+- `checkov` security scan
+
+---
+
+## License
+
+[MIT](./LICENSE)
+
+---
+
+## Maintainers
+
+[elastic2ls](https://github.com/elastic2ls-com)
