cleanup

Alexander Wiechert · Alexander Wiechert · commit 8a322cd3e16c · 2025-05-09T15:28:25.000+02:00
diff --git a/README.md b/README.md
@@ -23,14 +23,28 @@ This module is compatible with both Terraform (>=1.4) and OpenTofu (>=1.4).
 - Monitor **BurstBalance**, **ReadOps**, and **WriteOps** per EBS volume.
 - Dynamically set alarm thresholds per volume type (gp2, gp3, io1, io2, st1, sc1).
 - Automatically exclude irrelevant alarms (e.g., no BurstBalance on st1/sc1).
+- Creates a Cost Category in AWS Cost Explorer to group and track all EBS-related costs.
 - Filter volumes by tags (e.g., `Environment = Production`).
 - Send alerts to SNS with configurable email subscription.
+- Adds CloudWatch Composite Alarms to combine ReadOps, WriteOps, and BurstBalance alerts per EBS volume.
+- **Optional CloudWatch dashboard** with dynamic widgets per volume.
 - Includes example project and CI workflow with security checks.
 
 ---
 
 ## Usage
 
+### Least Privilege IAM Policy
+
+Before applying this module, ensure the IAM user or role has at least the permissions defined in [`iam-policy-minimal.json`](./iam-policy-minimal.json).
+
+These include:
+- CloudWatch: alarm management, metrics read access
+- SNS: topic management, publish/subscribe
+
+This avoids running Terraform with overly broad permissions.
+
+
 ### Real Mode (default)
 
 ```hcl
@@ -43,6 +57,11 @@ module "ebs_optimization" {
   email_endpoint   = "finops-team@example.com"
 }
 ```
+
+### Optional CloudWatch Dashboard
+```hcl
+  enable_dashboard = true
+```
 Run:
 ```bash
 terraform init
@@ -86,6 +105,24 @@ terraform apply
 | sns_topic_name    | Name of the SNS topic for alerts   | string | "ebs-alerts-topic" |
 | email_endpoint    | Email address for SNS subscription | string | n/a (required)     |
 |use_fake_data	    |Enable fake/test mode (no AWS calls)| 	bool  | false              |
+|enable_dashboard	|Enable CloudWatch dashboard creation|	bool	|true |
+---
+### Tagging
+
+This module automatically applies consistent tags to all resources (SNS topics, CloudWatch alarms, dashboards) it creates, making it easier to track costs, ownership, and environments.
+
+The following tags are applied:
+
+| Tag         | Description                                                                                                                                      |
+|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
+| `Environment` | Taken from `var.tag_filter_value`. Ensures the monitoring resources are labeled consistently with the EBS volumes they are watching (e.g., `Production`). |
+| `CostCenter`  | Taken from `var.cost_center`. Allows cost allocation and reporting by project, team, or budget owner (default: `FinOps`).                          |
+| `ManagedBy`   | Fixed tag (`terraform-aws-ebs-optimization`). Indicates the resources are managed by this Terraform module, improving transparency and auditability. |
+
+**Important:**
+- The `Environment` tag does not dynamically read the EBS volume’s tags.
+- It uses the value you pass as `tag_filter_value` in the module inputs.
+- For example, if you filter volumes with `tag_filter_value = "Production"`, the same value is applied as the `Environment` tag on the monitoring resources.
 
 ---
 
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -7,4 +7,5 @@ module "ebs_optimization" {
   sns_topic_name   = "ebs-optimization-alerts"
   email_endpoint   = "finops-team@example.com"
   use_fake_data    = true
+  enable_dashboard = true
 }
diff --git a/main.tf b/main.tf
@@ -53,66 +53,4 @@ locals {
     if contains(["gp2", "gp3", "io1", "io2"], vol.volume_type)
   }
 
-}
-
-resource "aws_sns_topic" "ebs_alerts" {
-  name = var.sns_topic_name
-}
-
-resource "aws_sns_topic_subscription" "email_sub" {
-  topic_arn = aws_sns_topic.ebs_alerts.arn
-  protocol  = "email"
-  endpoint  = var.email_endpoint
-}
-
-
-resource "aws_cloudwatch_metric_alarm" "burst_balance_low" {
-  for_each = local.ssd_volumes
-
-  alarm_name          = "ebs-burst-balance-low-${each.key}"
-  comparison_operator = "LessThanThreshold"
-  evaluation_periods  = 1
-  metric_name         = "BurstBalance"
-  namespace           = "AWS/EBS"
-  period              = 300
-  statistic           = "Average"
-  threshold           = local.alarm_thresholds[each.value.volume_type].burst_balance
-  dimensions = {
-    VolumeId = each.key
-  }
-  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
-}
-
-resource "aws_cloudwatch_metric_alarm" "read_ops_low" {
-  for_each = local.selected_volumes
-
-  alarm_name          = "ebs-read-ops-low-${each.key}"
-  comparison_operator = "LessThanThreshold"
-  evaluation_periods  = 1
-  metric_name         = "VolumeReadOps"
-  namespace           = "AWS/EBS"
-  period              = 300
-  statistic           = "Average"
-  threshold           = local.alarm_thresholds[each.value.volume_type].read_ops
-  dimensions = {
-    VolumeId = each.key
-  }
-  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
-}
-
-resource "aws_cloudwatch_metric_alarm" "write_ops_low" {
-  for_each = local.selected_volumes
-
-  alarm_name          = "ebs-write-ops-low-${each.key}"
-  comparison_operator = "LessThanThreshold"
-  evaluation_periods  = 1
-  metric_name         = "VolumeWriteOps"
-  namespace           = "AWS/EBS"
-  period              = 300
-  statistic           = "Average"
-  threshold           = local.alarm_thresholds[each.value.volume_type].write_ops
-  dimensions = {
-    VolumeId = each.key
-  }
-  alarm_actions = [aws_sns_topic.ebs_alerts.arn]
-}
+}
diff --git a/provider.tf b/provider.tf
@@ -5,4 +5,13 @@ provider "aws" {
   skip_credentials_validation = true
   skip_requesting_account_id  = true
   skip_metadata_api_check     = true
+
+  default_tags {
+    tags = {
+      Environment = var.tag_filter_value
+      CostCenter  = var.cost_center
+      ManagedBy   = "terraform-aws-ebs-optimization"
+    }
+  }
+
 }
diff --git a/variables.tf b/variables.tf
@@ -31,4 +31,22 @@ variable "use_fake_data" {
   description = "Enable fake data mode for testing"
   type        = bool
   default     = false
+}
+
+variable "enable_dashboard" {
+  description = "Enable creation of a CloudWatch dashboard"
+  type        = bool
+  default     = true
+}
+
+variable "cost_center" {
+  description = "Cost center tag for all resources"
+  type        = string
+  default     = "FinOps"
+}
+
+variable "category_name" {
+  description = "Name of the Cost Category"
+  type        = string
+  default     = "EBS-Volumes"
 }

Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,5 @@ module "ebs_optimization" {`
`7`	`7`	`sns_topic_name = "ebs-optimization-alerts"`
`8`	`8`	`email_endpoint = "finops-team@example.com"`
`9`	`9`	`use_fake_data = true`
	`10`	`+ enable_dashboard = true`
`10`	`11`	`}`