add full and limited billing

iam-general-policies/README.md

@@ -113,8 +113,10 @@ No modules.
 | [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ip_restriction](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

iam-general-policies/custom_policies.tf

@@ -21,6 +21,20 @@ locals {
       policy        = data.aws_iam_policy_document.deny_billing.json
       create_policy = true
     }
+    "full_billing" = {
+      name          = "full-billing"
+      path          = "/"
+      description   = "Policy for full access to billing and cost allocation"
+      policy        = data.aws_iam_policy_document.full_billing.json
+      create_policy = false
+    }
+    "limited_billing" = {
+      name          = "limited-billing"
+      path          = "/"
+      description   = "Policy for limited access to billing and cost allocation"
+      policy        = data.aws_iam_policy_document.limited_billing.json
+      create_policy = false
+    }
     "ip_restriction" = {
       name          = "ip-restriction"
       path          = "/"

iam-general-policies/policy_data.tf

@@ -63,6 +63,48 @@ data "aws_iam_policy_document" "deny_billing" {
   }
 }
 
+data "aws_iam_policy_document" "full_billing" {
+  statement {
+    sid       = "FullBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      "ce:CreateNotificationSubscription",
+      "ce:CreateReport",
+      "ce:DeleteNotificationSubscription",
+      "ce:DeleteReport",
+      "ce:UpdateNotificationSubscription",
+      "ce:UpdateReport",
+      "ce:UpdatePreferences",
+      "budgets:View*",
+      "budgets:Describe*",
+      #"budgets:*",
+      # add others, to allow cost explorer and budgets
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "limited_billing" {
+  statement {
+    sid       = "LimitedBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      # put in right set of things for cost explorer and read access to billing
+    ]
+  }
+}
+
 # generated dynamically based on passing cidr blocks
 data "aws_iam_policy_document" "ip_restriction" {
   statement {