Skip to content

harness-community/terraform-aws-harness-ccm

Repository files navigation

Terraform AWS Harness CCM

Terraform to configure your AWS account for use with Harness CCM.

Can be used as a module or a starting point for your own automation.

Authentication

This module creates AWS resources. To set up authentication to your AWS account please see the AWS provider documentation.

Usage

Master Payer Accounts

When creating a role in your master payer account for granting Harness access to your CUR, be sure and set s3_bucket_arn to the bucket that holds your CUR and enable_billing to true:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {}

module "ccm-billing" {
  source                = "harness-community/harness-ccm/aws"
  version               = "1.0.0"

  external_id             = "harness:891928451355:<your harness account id>"

  s3_bucket_arn           = "arn:aws:s3:::<s3 bucket name with cur data>"
  enable_billing          = true

  enable_commitment_read  = true
  enable_commitment_write = true
}

To enable the commitment orchestrator feature, set enable_commitment_read to get visibility on your commitments and enable_commitment_write to enable making purchases through Harness.

EU Cluster Accounts

If your Harness account is located in our EU cluster, you will need to pass the following inputs:

  s3_bucket_name = "harness-ccm-service-data-bucket-prod-eu"
  aws_account_id = "783764615875"
  external_id    = "harness:783764615875:<your harness account id>"
  trusted_roles  = [
    "arn:aws:iam::783764615875:user/harness-ccm-service-user-prod-eu"
  ]

Member Accounts

When creating roles in member accounts, for non billing access, just set the specific features you want to enable:

  • enable_events: gather inventory for dashboards and ec2/ecs recommendation data (read only)
  • autostopping_loadbalancers: enables access required for leveraging ALB and/or Proxy autostopping
  • autostopping_resources: enables access required for autostopping based on target resource types
  • enable_governance: grant view-only access to be able to run governance in dry run and create custom recommendations (read only)
  • governance_policy_arn: to use governance to make changes, give custom policies that give the access requred (based on the actions you want to take) (write)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {}

module "ccm-member" {
  source                = "harness-community/harness-ccm/aws"
  version               = "1.0.0"
  
  external_id             = "harness:891928451355:<your harness account id>"

  # for inventory and recommendations
  enable_events           = true

  # enable specific types of autostopping to be used
  autostopping_loadbalancers = ["alb", "proxy"]
  autostopping_resources     = ["ec2", "ec2-spot", "asg", "rds", "ecs"]

  # enable view access for governance dry runs
  enable_governance       = true

  # enable write access for governance enforcements
  governance_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
  ]
}

CMK EBS Volumes

When EBS volumes are encrypted using customer-managed keys using KMS, AutoStopping will not be able to start the instances with just the default permissions. Additional permissions are required to enable KMS decryption. To get KMS encrypted volumes to work with AutoStopping, the following changes must be performed:

  • Permissions added to IAM Role to allow kms actions
  • Tag KMS Keys - Add a harness.io/allowForAutoStopping:true tag to the KMS keys

To enable these permissions, set the variable.

Requirements

Name Version
aws >= 4.0

Providers

Name Version
aws >= 4.0

Modules

No modules.

Resources

Name Type
aws_iam_policy.autostopping_cmk_ebs resource
aws_iam_policy.autostopping_loadbalancers resource
aws_iam_policy.autostopping_resources resource
aws_iam_policy.harness_billingmonitoring resource
aws_iam_policy.harness_commitment resource
aws_iam_policy.harness_eventsmonitoring resource
aws_iam_policy.harness_getrole resource
aws_iam_policy.harness_optimsation resource
aws_iam_policy.harness_optimsationlambda resource
aws_iam_policy.harness_secret_access resource
aws_iam_role.harness_ce resource
aws_iam_role.harness_ce_lambda resource
aws_iam_role_policy_attachment.autostopping_cmk_ebs resource
aws_iam_role_policy_attachment.autostopping_loadbalancers resource
aws_iam_role_policy_attachment.autostopping_resources resource
aws_iam_role_policy_attachment.harness_ce_billingmonitoring resource
aws_iam_role_policy_attachment.harness_ce_commitment resource
aws_iam_role_policy_attachment.harness_ce_eventsmonitoring resource
aws_iam_role_policy_attachment.harness_ce_getrole resource
aws_iam_role_policy_attachment.harness_ce_governance resource
aws_iam_role_policy_attachment.harness_ce_governance_enforce resource
aws_iam_role_policy_attachment.harness_ce_lambda_optimsationlambda resource
aws_iam_role_policy_attachment.harness_ce_optimsation resource
aws_iam_role_policy_attachment.harness_secret_access resource
aws_iam_policy_document.autostopping_cmk_ebs data source
aws_iam_policy_document.autostopping_loadbalancers data source
aws_iam_policy_document.autostopping_resources data source
aws_iam_policy_document.harness_billingmonitoring data source
aws_iam_policy_document.harness_ce data source
aws_iam_policy_document.harness_ce_lambda data source
aws_iam_policy_document.harness_commitment data source
aws_iam_policy_document.harness_eventsmonitoring data source
aws_iam_policy_document.harness_getrole data source
aws_iam_policy_document.harness_optimsation data source
aws_iam_policy_document.harness_optimsationlambda data source
aws_iam_policy_document.harness_secret_access data source

Inputs

Name Description Type Default Required
additional_external_ids Additional external ids to allow list(string) [] no
autostopping_loadbalancers Load balancers to be used with autostopping list(string)
[
"alb",
"proxy"
]
no
autostopping_resources Resources to allow autostopping for list(string)
[
"ec2",
"ec2-spot",
"asg",
"rds",
"ecs"
]
no
aws_account_id Source AWS account ID, this is Harness' AWS account. If using Harness in SMP mode, set your account ID here string "891928451355" no
enable_billing Enable AWS Cost Visibility bool false no
enable_cmk_ebs Enable CMK KMS permissions for EBS bool false no
enable_commitment_read Enable AWS Commitment Orchestrator Read bool false no
enable_commitment_write Enable AWS Commitment Orchestrator Write bool false no
enable_events Enable AWS Resource Management bool false no
enable_governance Enable AWS Asset Governance bool false no
enable_optimization Enable AWS Optimization by Auto-Stopping bool false no
external_id External ID given in the harness UI: harness:<aws_account_id>: string n/a yes
governance_policy_arns Policy arns to give role access to enforce governance list(string) [] no
prefix A string to add to all resources to add uniqueness string "" no
s3_bucket_arn S3 Arn for the bucket that holds your CUR string "" no
s3_bucket_name S3 bucket name for the bucket that Harness uses to store and analyze your CUR string "ce-customer-billing-data-prod" no
secrets List of secrets that harness should have access to list(string) [] no
trusted_roles Roles allowed to assume the created role. Defaults are listed for accounts based in US Harness clusters (0,1,2,3,4) list(string)
[
"arn:aws:iam::891928451355:user/prod-data-pipeline-dont-delete",
"arn:aws:iam::891928451355:user/ce-prod-bucket-admin"
]
no

Outputs

Name Description
cross_account_role n/a
external_id n/a

References

Harness CCM AWS Setup Guide

Harness CCM CloudFormation Template

About

Configure the Harness cloud cost management (CCM) module for AWS.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages