Terraform to configure your AWS account for use with Harness CCM.
Can be used as a module or a starting point for your own automation.
This module creates AWS resources. To set up authentication to your AWS account please see the AWS provider documentation.
When creating a role in your master payer account for granting Harness access to your CUR, be sure and set s3_bucket_arn
to the bucket that holds your CUR and enable_billing
to true:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
provider "aws" {}
module "ccm-billing" {
source = "harness-community/harness-ccm/aws"
version = "1.0.0"
external_id = "harness:891928451355:<your harness account id>"
s3_bucket_arn = "arn:aws:s3:::<s3 bucket name with cur data>"
enable_billing = true
enable_commitment_read = true
enable_commitment_write = true
}
To enable the commitment orchestrator feature, set enable_commitment_read
to get visibility on your commitments and enable_commitment_write
to enable making purchases through Harness.
If your Harness account is located in our EU cluster, you will need to pass the following inputs:
s3_bucket_name = "harness-ccm-service-data-bucket-prod-eu"
aws_account_id = "783764615875"
external_id = "harness:783764615875:<your harness account id>"
trusted_roles = [
"arn:aws:iam::783764615875:user/harness-ccm-service-user-prod-eu"
]
When creating roles in member accounts, for non billing access, just set the specific features you want to enable:
- enable_events: gather inventory for dashboards and ec2/ecs recommendation data (read only)
- autostopping_loadbalancers: enables access required for leveraging ALB and/or Proxy autostopping
- autostopping_resources: enables access required for autostopping based on target resource types
- enable_governance: grant view-only access to be able to run governance in dry run and create custom recommendations (read only)
- governance_policy_arn: to use governance to make changes, give custom policies that give the access requred (based on the actions you want to take) (write)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {}
module "ccm-member" {
source = "harness-community/harness-ccm/aws"
version = "1.0.0"
external_id = "harness:891928451355:<your harness account id>"
# for inventory and recommendations
enable_events = true
# enable specific types of autostopping to be used
autostopping_loadbalancers = ["alb", "proxy"]
autostopping_resources = ["ec2", "ec2-spot", "asg", "rds", "ecs"]
# enable view access for governance dry runs
enable_governance = true
# enable write access for governance enforcements
governance_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
}
When EBS volumes are encrypted using customer-managed keys using KMS, AutoStopping will not be able to start the instances with just the default permissions. Additional permissions are required to enable KMS decryption. To get KMS encrypted volumes to work with AutoStopping, the following changes must be performed:
- Permissions added to IAM Role to allow
kms
actions - Tag KMS Keys - Add a
harness.io/allowForAutoStopping:true
tag to the KMS keys
To enable these permissions, set the variable.
Name | Version |
---|---|
aws | >= 4.0 |
Name | Version |
---|---|
aws | >= 4.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_external_ids | Additional external ids to allow | list(string) |
[] |
no |
autostopping_loadbalancers | Load balancers to be used with autostopping | list(string) |
[ |
no |
autostopping_resources | Resources to allow autostopping for | list(string) |
[ |
no |
aws_account_id | Source AWS account ID, this is Harness' AWS account. If using Harness in SMP mode, set your account ID here | string |
"891928451355" |
no |
enable_billing | Enable AWS Cost Visibility | bool |
false |
no |
enable_cmk_ebs | Enable CMK KMS permissions for EBS | bool |
false |
no |
enable_commitment_read | Enable AWS Commitment Orchestrator Read | bool |
false |
no |
enable_commitment_write | Enable AWS Commitment Orchestrator Write | bool |
false |
no |
enable_events | Enable AWS Resource Management | bool |
false |
no |
enable_governance | Enable AWS Asset Governance | bool |
false |
no |
enable_optimization | Enable AWS Optimization by Auto-Stopping | bool |
false |
no |
external_id | External ID given in the harness UI: harness:<aws_account_id>: | string |
n/a | yes |
governance_policy_arns | Policy arns to give role access to enforce governance | list(string) |
[] |
no |
prefix | A string to add to all resources to add uniqueness | string |
"" |
no |
s3_bucket_arn | S3 Arn for the bucket that holds your CUR | string |
"" |
no |
s3_bucket_name | S3 bucket name for the bucket that Harness uses to store and analyze your CUR | string |
"ce-customer-billing-data-prod" |
no |
secrets | List of secrets that harness should have access to | list(string) |
[] |
no |
trusted_roles | Roles allowed to assume the created role. Defaults are listed for accounts based in US Harness clusters (0,1,2,3,4) | list(string) |
[ |
no |
Name | Description |
---|---|
cross_account_role | n/a |
external_id | n/a |