This Terraform configuration is designed to set up a receiving S3 bucket and optionally enable AWS Cost and Usage Reports (CUR) by configuring the necessary IAM roles and policies. The setup ensures secure storage, replication, and access to your CUR data for analysis in a destination account.
Run pre-commit install to install any guardrails implemented using pre-commit.
See pre-commit installation on how to install pre-commit
Below is an example configuration for using this module with the necessary providers:
provider "aws" {
profile = "data_collection"
region = "eu-central-1"
alias = "data_collection"
}
provider "aws" {
region = "us-east-1"
alias = "useast1"
}
module "cur_data_collection_account" {
source = "./destination/"
source_account_ids = ["123456789012"] # Change to sending accounts
create_cur = false # Set to true to create an additional CUR in the aggregation account
providers = {
aws.useast1 = aws.useast1
}
}resource_prefix = "TechNative"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
tags = {
Environment = "Production"
Owner = "Finance"
}
s3_access_logging = {
enabled = true
bucket = "my-logging-bucket"
prefix = "logs/"
}
source_account_ids = ["123456789012"] # Change to sending accounts
create_cur = false # Set to true to create an additional CUR in the aggregation account- Access Denied Errors: Ensure that your AWS credentials have sufficient permissions to create and manage the resources defined in this Terraform configuration.
- KMS Key Issues: If using KMS encryption, verify that the key exists and that your IAM roles have the correct permissions to use the key.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
| aws.useast1 | >= 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_cur_report_definition.this | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_lifecycle_configuration.this | resource |
| aws_s3_bucket_logging.this | resource |
| aws_s3_bucket_ownership_controls.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_s3_bucket_server_side_encryption_configuration.this | resource |
| aws_s3_bucket_versioning.this | resource |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.bucket_policy | data source |
| aws_partition.this | data source |
| aws_region.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_cur | Whether to create a local CUR in the destination account or not. Set this to true if the destination account is NOT covered in the CUR of the source accounts | bool |
n/a | yes |
| cur_name_suffix | Suffix used to name the local CUR report if create_cur is true |
string |
"cur" |
no |
| enable_split_cost_allocation_data | Enable split cost allocation data for ECS and EKS for this CUR report | bool |
false |
no |
| kms_key_id | !!!WARNING!!! EXPERIMENTAL - Do not use unless you know what you are doing. The correct key policies and IAM permissions on the S3 replication role must be configured external to this module. - If create_cur is true, the "billingreports.amazonaws.com" service must have access to encrypt S3 objects with the key ID provided - See https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html for information on permissions required for replicating KMS-encrypted objects |
string |
null |
no |
| resource_prefix | Prefix used for all named resources, including S3 Bucket | string |
"cid" |
no |
| s3_access_logging | S3 Access Logging configuration for the CUR bucket | object({ |
{ |
no |
| source_account_ids | List of all source accounts that will replicate CUR Data. Ex: [12345678912,98745612312,...] (fill only on Destination Account) | list(string) |
n/a | yes |
| tags | Map of tags to apply to module resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cur_bucket_arn | ARN of the S3 Bucket where the Cost and Usage Report is delivered |
| cur_bucket_name | Name of the S3 Bucket where the Cost and Usage Report is delivered |
| cur_report_arn | ARN of the Cost and Usage Report |