add billing

terraform-modules · May 26, 2022 · 32ca5c1 · 32ca5c1
1 parent cf274db
commit 32ca5c1
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -158,3 +158,6 @@
 * 1.15.3 -- 2022-04-27
   - terraform-state
     -  add r-inf-terraform assumable role for TF operations
+
+* 1.15.4 -- 2022-05-26
+  - remove billing-policies, move into iam-general-policies
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.15.3"
+  _module_version = "1.15.4"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
@@ -113,8 +113,10 @@ No modules.
 | [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ip_restriction](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
@@ -21,6 +21,20 @@ locals {
       policy        = data.aws_iam_policy_document.deny_billing.json
       create_policy = true
     }
+    "full_billing" = {
+      name          = "full-billing"
+      path          = "/"
+      description   = "Policy for full access to billing and cost allocation"
+      policy        = data.aws_iam_policy_document.full_billing.json
+      create_policy = false
+    }
+    "limited_billing" = {
+      name          = "limited-billing"
+      path          = "/"
+      description   = "Policy for limited access to billing and cost allocation"
+      policy        = data.aws_iam_policy_document.limited_billing.json
+      create_policy = false
+    }
     "ip_restriction" = {
       name          = "ip-restriction"
       path          = "/"

diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
@@ -63,6 +63,48 @@ data "aws_iam_policy_document" "deny_billing" {
   }
 }
 
+data "aws_iam_policy_document" "full_billing" {
+  statement {
+    sid       = "FullBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      "ce:CreateNotificationSubscription",
+      "ce:CreateReport",
+      "ce:DeleteNotificationSubscription",
+      "ce:DeleteReport",
+      "ce:UpdateNotificationSubscription",
+      "ce:UpdateReport",
+      "ce:UpdatePreferences",
+      "budgets:View*",
+      "budgets:Describe*",
+      #"budgets:*",
+      # add others, to allow cost explorer and budgets
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "limited_billing" {
+  statement {
+    sid       = "LimitedBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      # put in right set of things for cost explorer and read access to billing
+    ]
+  }
+}
+
 # generated dynamically based on passing cidr blocks
 data "aws_iam_policy_document" "ip_restriction" {
   statement {