add cost category, cost usage, dashboard for cloudwatch, sns and sample ima policy

Alexander Wiechert · Alexander Wiechert · commit 985222b0bce0 · 2025-05-09T15:29:04.000+02:00
diff --git a/ cost_category.tf b/ cost_category.tf
@@ -0,0 +1,16 @@
+resource "aws_ce_cost_category" "ebs_volumes" {
+  name         = "EBS-Volumes"
+  rule_version = "CostCategoryExpression.v1"
+
+  rule {
+    value = "EBS"
+    rule {
+      dimension {
+        key    = "SERVICE"
+        values = ["Amazon Elastic Block Store"]
+      }
+    }
+  }
+
+  default_value = "Other"
+}
diff --git a/cloudwatch_alarms.tf b/cloudwatch_alarms.tf
@@ -0,0 +1,75 @@
+resource "aws_cloudwatch_metric_alarm" "burst_balance_low" {
+  for_each = local.ssd_volumes
+
+  alarm_name          = "ebs-burst-balance-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "BurstBalance"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[each.value.volume_type].burst_balance
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = []
+}
+
+resource "aws_cloudwatch_metric_alarm" "read_ops_low" {
+  for_each = local.selected_volumes
+
+  alarm_name          = "ebs-read-ops-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "VolumeReadOps"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[each.value.volume_type].read_ops
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = []
+}
+
+resource "aws_cloudwatch_metric_alarm" "write_ops_low" {
+  for_each = local.selected_volumes
+
+  alarm_name          = "ebs-write-ops-low-${each.key}"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "VolumeWriteOps"
+  namespace           = "AWS/EBS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = local.alarm_thresholds[each.value.volume_type].write_ops
+  dimensions = {
+    VolumeId = each.key
+  }
+  alarm_actions = []
+}
+
+resource "aws_cloudwatch_composite_alarm" "ebs_composite_alarm" {
+  for_each = local.selected_volumes
+
+  alarm_name = "ebs-composite-alarm-${each.key}"
+  alarm_rule = join(" OR ", compact([
+    "ALARM(${aws_cloudwatch_metric_alarm.read_ops_low[each.key].alarm_name})",
+    "ALARM(${aws_cloudwatch_metric_alarm.write_ops_low[each.key].alarm_name})",
+      contains(keys(local.ssd_volumes), each.key) ? "ALARM(${aws_cloudwatch_metric_alarm.burst_balance_low[each.key].alarm_name})" : ""
+  ]))
+
+  alarm_description = "Composite alarm for EBS volume ${each.key}"
+  alarm_actions     = [aws_sns_topic.ebs_alerts.arn]
+
+  tags = {
+    Environment = var.tag_filter_value
+    CostCenter  = var.cost_center
+    ManagedBy   = "terraform-aws-ebs-optimization"
+  }
+  depends_on = [
+    aws_cloudwatch_metric_alarm.read_ops_low,
+    aws_cloudwatch_metric_alarm.write_ops_low,
+    aws_cloudwatch_metric_alarm.burst_balance_low
+  ]
+}
diff --git a/cost_usage.tf b/cost_usage.tf
@@ -0,0 +1,59 @@
+resource "aws_cur_report_definition" "ebs_report" {
+  report_name                = "ebs-cost-usage-report"
+  time_unit                  = "DAILY"
+  format                     = "Parquet"
+  compression                = "Parquet"
+  additional_schema_elements = ["RESOURCES"]
+  s3_bucket                  = aws_s3_bucket.cur_bucket.id
+  s3_region                  = var.aws_region
+  s3_prefix                  = "cur/ebs-report"
+  report_versioning          = "CREATE_NEW_REPORT"
+}
+
+resource "aws_s3_bucket" "cur_bucket" {
+  bucket = "finops-obs-optimisation-cur-bucket"
+}
+
+resource "aws_s3_bucket_policy" "cur_bucket_policy" {
+  bucket = aws_s3_bucket.cur_bucket.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Sid    = "AWSBillingPermissions"
+      Effect = "Allow"
+      Principal = {
+        Service = "billingreports.amazonaws.com"
+      }
+      Action = "s3:GetBucketAcl"
+      Resource = aws_s3_bucket.cur_bucket.arn
+    },
+      {
+        Sid    = "AWSBillingPutObject"
+        Effect = "Allow"
+        Principal = {
+          Service = "billingreports.amazonaws.com"
+        }
+        Action = "s3:PutObject"
+        Resource = "${aws_s3_bucket.cur_bucket.arn}/*"
+      }]
+  })
+}
+
+resource "aws_athena_database" "cur_database" {
+  name          = "cur_database"
+  catalog_name  = aws_athena_data_catalog.cur_catalog.name
+  comment       = "Athena database for CUR analysis"
+  bucket        = aws_s3_bucket.cur_bucket.id
+}
+
+resource "aws_athena_named_query" "ebs_query" {
+  name        = "ebs_cost_analysis"
+  database    = aws_athena_database.cur_database.name
+  query       = <<EOF
+SELECT line_item_resource_id, product_product_name, line_item_unblended_cost
+FROM cur_database.cur_table
+WHERE product_product_name = 'Amazon Elastic Block Store'
+EOF
+  description = "Query to analyze EBS costs"
+}
diff --git a/dashboard.tf b/dashboard.tf
@@ -0,0 +1,40 @@
+resource "aws_cloudwatch_dashboard" "ebs_dashboard" {
+  count          = var.enable_dashboard ? 1 : 0
+  dashboard_name = "ebs-optimization-dashboard"
+
+  dashboard_body = jsonencode({
+    widgets = flatten([
+      for vol_id, vol in local.selected_volumes : [
+        {
+          type   = "metric"
+          width  = 6
+          height = 6
+          properties = {
+            metrics = [
+              ["AWS/EBS", "BurstBalance", "VolumeId", vol_id]
+            ]
+            period = 300
+            stat   = "Average"
+            region = var.aws_region
+            title  = "BurstBalance ${vol_id}"
+          }
+        },
+        {
+          type   = "metric"
+          width  = 6
+          height = 6
+          properties = {
+            metrics = [
+              ["AWS/EBS", "VolumeReadOps", "VolumeId", vol_id],
+              [".", "VolumeWriteOps", ".", ".", { "yAxis" : "right" }]
+            ]
+            period = 300
+            stat   = "Sum"
+            region = var.aws_region
+            title  = "Read/Write Ops ${vol_id}"
+          }
+        }
+      ]
+    ])
+  })
+}
diff --git a/iam-policy-minimal.json b/iam-policy-minimal.json
@@ -0,0 +1,21 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricStatistics",
+        "sns:Publish",
+        "sns:CreateTopic",
+        "sns:Subscribe",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/sns.tf b/sns.tf
@@ -0,0 +1,9 @@
+resource "aws_sns_topic" "ebs_alerts" {
+  name = var.sns_topic_name
+}
+
+resource "aws_sns_topic_subscription" "email_sub" {
+  topic_arn = aws_sns_topic.ebs_alerts.arn
+  protocol  = "email"
+  endpoint  = var.email_endpoint
+}
