first commit

Author: Alexander Wiechert

.github/release-drafter.yml

@@ -0,0 +1,29 @@
+
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: 'Features'
+    labels:
+      - 'feature'
+  - title: 'Bug Fixes'
+    labels:
+      - 'bug'
+  - title: 'Maintenance'
+    labels:
+      - 'chore'
+      - 'documentation'
+change-template: '- $TITLE (#$NUMBER)'
+no-changes-template: '- No changes'
+
+autolabeler:
+  - label: 'feature'
+    files:
+      - '*.tf'
+      - '*.go'
+  - label: 'documentation'
+    files:
+      - '**/*.md'
+
+template: |
+  ## Changes
+  $CHANGES

.github/workflows/terraform.yml

@@ -0,0 +1,59 @@
+name: Terraform CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  terraform:
+    name: Terraform Validate, Format, Plan, Security
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v2
+
+      # Format Check (root + alle Unterordner)
+      - name: Terraform Format Check
+        run: terraform fmt -check -recursive
+
+      # Init & Validate (root module)
+      - name: Terraform Init & Validate (root module)
+        run: |
+          terraform init
+          terraform validate
+
+      # Init & Validate (basic example)
+      - name: Terraform Init & Validate (basic example)
+        working-directory: examples/basic
+        run: |
+          terraform init
+          terraform validate
+
+      # Terraform Plan (basic example)
+      - name: Terraform Plan (basic example)
+        working-directory: examples/basic
+        run: terraform plan -no-color
+
+      # Checkov Security Scan (root module)
+      - name: Run Checkov (root module)
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          quiet: true
+          soft_fail: true
+
+      # Checkov Security Scan (basic example)
+      - name: Run Checkov (basic example)
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: examples/basic
+          quiet: true
+          soft_fail: true

.gitignore

@@ -0,0 +1,10 @@
+
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+crash.log
+*.swp
+*.DS_Store
+.idea/
+.vscode/

CHANGELOG.md

@@ -0,0 +1,25 @@
+
+# Changelog
+
+Alle wichtigen Änderungen an diesem Projekt werden in diesem Dokument dokumentiert.
+
+Das Format basiert auf [Keep a Changelog](https://keepachangelog.com/de/1.0.0/).
+
+## [Unreleased]
+
+- Hinzufügen von .github Actions Workflow
+- Erstellen eines Beispielprojekts in `examples/basic`
+- README.md und CHANGELOG.md hinzugefügt
+
+## [v1.0.0] – 2024-05-XX
+
+- Erstveröffentlichung
+- Überwachung von EBS-Volumes (BurstBalance, ReadOps, WriteOps)
+- Dynamische Alarmschwellen pro Volumentyp (gp2, gp3, io1, io2, st1, sc1)
+- Tag-basierte Filterung (`Environment = Production`)
+- SNS-Integration mit konfigurierbarem Email-Empfänger
+- Beispiele und CI/CD-Pipeline mit Checkov-Sicherheitsprüfungen
+
+## Lizenz
+
+Dieses Projekt steht unter der [MIT-Lizenz](./LICENSE).

CONTRIBUTING.md

@@ -0,0 +1,14 @@
+
+# Contributing
+
+Thank you for considering contributing!
+
+## How to contribute
+- Fork the repo
+- Create a feature branch
+- Run terraform fmt, validate
+- Submit a PR
+
+## Code Guidelines
+- Use clear commit messages
+- Update CHANGELOG.md

LICENSE

@@ -0,0 +1,11 @@
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.

README.md

@@ -0,0 +1,101 @@
+[![Terraform CI](https://github.com/elastic2ls-com/terraform-aws-ebs-optimization/actions/workflows/terraform.yml/badge.svg)](https://github.com/elastic2ls-com/terraform-aws-ebs-optimization/actions)
+![License](https://img.shields.io/badge/license-MIT-brightgreen?logo=mit)
+![Status](https://img.shields.io/badge/status-active-brightgreen.svg?logo=git)
+[![Sponsor](https://img.shields.io/badge/sponsors-AlexanderWiechert-blue.svg?logo=github-sponsors)](https://github.com/sponsors/AlexanderWiechert/)
+[![Contact](https://img.shields.io/badge/website-elastic2ls.com-blue.svg?logo=google-chrome)](https://www.elastic2ls.com/)
+[![Terraform Registry](https://img.shields.io/badge/download-blue.svg?logo=terraform&style=social)](https://registry.terraform.io/modules/elastic2ls-com/ebs-optimization/aws/latest)
+![OpenTofu Compatible](https://img.shields.io/badge/OpenTofu-Compatible-4E9A06?logo=opentofu)
+
+# terraform-aws-ebs-optimization
+
+Terraform module to monitor and optimize EBS volumes across an AWS account with dynamic CloudWatch alarms for cost-efficient storage.
+
+This module is compatible with both Terraform (>=1.4) and OpenTofu (>=1.4).
+
+---
+
+## Features
+
+- Monitor **BurstBalance**, **ReadOps**, and **WriteOps** per EBS volume.
+- Dynamically set alarm thresholds per volume type (gp2, gp3, io1, io2, st1, sc1).
+- Automatically exclude irrelevant alarms (e.g., no BurstBalance on st1/sc1).
+- Filter volumes by tags (e.g., `Environment = Production`).
+- Send alerts to SNS with configurable email subscription.
+- Includes example project and CI workflow with security checks.
+
+---
+
+## Usage
+
+```hcl
+module "ebs_optimization" {
+  source            = "github.com/elastic2ls-com/terraform-aws-ebs-optimization"
+  aws_region       = "eu-central-1"
+  tag_filter_key   = "Environment"
+  tag_filter_value = "Production"
+  sns_topic_name   = "ebs-optimization-alerts"
+  email_endpoint   = "finops-team@example.com"
+}
+```
+## Security Best Practices
+
+- Use **least privilege** on SNS subscribers.
+- Apply **Terraform state encryption** (S3 + KMS) if storing sensitive resources.
+- Periodically review alarm thresholds for changes in workload patterns.
+
+---
+
+## Examples
+
+- [Basic Example](./examples/basic/main.tf)
+
+---
+
+## Variables
+
+| Name               | Description                         | Type    | Default             |
+|---------------------|-------------------------------------|---------|---------------------|
+| aws_region         | AWS region                         | string  | "eu-central-1"     |
+| tag_filter_key     | Tag key to filter EBS volumes      | string  | "Environment"      |
+| tag_filter_value   | Tag value to filter EBS volumes    | string  | "Production"       |
+| sns_topic_name     | Name of the SNS topic for alerts   | string  | "ebs-alerts-topic" |
+| email_endpoint     | Email address for SNS subscription | string  | n/a (required)     |
+
+---
+
+## Outputs
+
+| Name                 | Description                     |
+|-----------------------|---------------------------------|
+| sns_topic_arn        | ARN of the created SNS topic   |
+| filtered_volume_ids  | List of monitored EBS volume IDs |
+
+---
+
+## Requirements
+
+- Terraform ≥ 1.4
+- AWS Provider ≥ 5.0
+
+---
+
+## CI/CD
+
+This module uses GitHub Actions to run:
+
+- `terraform fmt`
+- `terraform validate`
+- `terraform plan` on examples
+- `checkov` security scan
+
+---
+
+## License
+
+MIT
+
+---
+
+## Maintainers
+
+[elastic2ls](https://github.com/elastic2ls-com)

examples/basic/main.tf

@@ -0,0 +1,9 @@
+module "ebs_optimization" {
+  source = "../../"
+
+  aws_region       = "eu-central-1"
+  tag_filter_key   = "Environment"
+  tag_filter_value = "Production"
+  sns_topic_name   = "ebs-optimization-alerts"
+  email_endpoint   = "finops-team@example.com"
+}

main.tf

@@ -0,0 +1,94 @@
+# Hole alle EBS-Volumes in der Region
+data "aws_ebs_volumes" "all_volumes" {}
+
+# Hole Details zu jedem Volume
+data "aws_ebs_volume" "volume_details" {
+  for_each  = toset(data.aws_ebs_volumes.all_volumes.ids)
+  volume_id = each.key
+}
+
+locals {
+  alarm_thresholds = {
+    gp2 = { read_ops = 10, write_ops = 10, burst_balance = 20 }
+    gp3 = { read_ops = 100, write_ops = 100, burst_balance = 20 }
+    io1 = { read_ops = 500, write_ops = 500, burst_balance = 0 }
+    io2 = { read_ops = 500, write_ops = 500, burst_balance = 0 }
+    st1 = { read_ops = 5, write_ops = 5, burst_balance = 0 }
+    sc1 = { read_ops = 1, write_ops = 1, burst_balance = 0 }
+  }
+
+  filtered_volumes = [
+    for vol_id, vol in data.aws_ebs_volume.volume_details :
+    vol_id
+    if contains(keys(vol.tags), var.tag_filter_key)
+    && vol.tags[var.tag_filter_key] == var.tag_filter_value
+  ]
+}
+
+resource "aws_sns_topic" "ebs_alerts" {
+  name = var.sns_topic_name
+}
+
+resource "aws_sns_topic_subscription" "email_sub" {
+  topic_arn = aws_sns_topic.ebs_alerts.arn
+  protocol  = "email"
+  endpoint  = var.email_endpoint
+}
+
+# BurstBalance (nur SSD)
+resource "aws_cloudwatch_metric_alarm" "burst_balance_low" {
+  for_each = toset(local.filtered_volumes)
+  count    = contains(["gp2", "gp3", "io1", "io2"], data.aws_ebs_volume.volume_details[each.key].volume_type) ? 1 : 0
+
+  alarm_name          = "ebs-burst-balance-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "BurstBalance"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[data.aws_ebs_volume.volume_details[each.key].volume_type].burst_balance
+  alarm_description   = "EBS BurstBalance < threshold for volume ${each.key}"
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
+}
+
+# ReadOps (alle Typen)
+resource "aws_cloudwatch_metric_alarm" "read_ops_low" {
+  for_each = toset(local.filtered_volumes)
+
+  alarm_name          = "ebs-read-ops-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "VolumeReadOps"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[data.aws_ebs_volume.volume_details[each.key].volume_type].read_ops
+  alarm_description   = "EBS ReadOps < threshold for volume ${each.key}"
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
+}
+
+# WriteOps (alle Typen)
+resource "aws_cloudwatch_metric_alarm" "write_ops_low" {
+  for_each = toset(local.filtered_volumes)
+
+  alarm_name          = "ebs-write-ops-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "VolumeWriteOps"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[data.aws_ebs_volume.volume_details[each.key].volume_type].write_ops
+  alarm_description   = "EBS WriteOps < threshold for volume ${each.key}"
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
+}

output.tf

@@ -0,0 +1,9 @@
+output "sns_topic_arn" {
+  description = "SNS topic ARN"
+  value       = aws_sns_topic.ebs_alerts.arn
+}
+
+output "filtered_volume_ids" {
+  description = "List of EBS volume IDs being monitored"
+  value       = local.filtered_volumes
+}