Terraform to configure your AWS account for use with Harness CCM.
Can be used as a module or a starting point for your own automation.
This module creates AWS resources. To set up authentication to your AWS account please see the AWS provider documentation.
When creating a role in your master payer account for granting Harness access to your CUR, be sure and set s3_bucket_arn to the bucket that holds your CUR and enable_billing to true:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
provider "aws" {}
module "ccm-billing" {
source = "harness-community/harness-ccm/aws"
version = "0.1.4"
external_id = "harness:891928451355:<your harness account id>"
s3_bucket_arn = "arn:aws:s3:::<s3 bucket name with cur data>"
enable_billing = true
enable_commitment_read = true
enable_commitment_write = true
}To enable the commitment orchestrator feature, set enable_commitment_read to get visibility on your commitments and enable_commitment_write to enable making purchases through Harness.
When creating roles in member accounts, for non billing access, just set the specific features you want to enable:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {}
module "ccm-member" {
source = "harness-community/harness-ccm/aws"
version = "0.1.4"
external_id = "harness:891928451355:<your harness account id>"
enable_events = true
enable_optimization = true
# enable view access for governance dry runs
enable_governance = true
# enable write access for governance enforcements
governance_policy_arn = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
}For example, if you want to enable Harness recommendations and ec2/ebs/rds dashboards, set enable_events to true.
If you want to enable autostopping, set enable_optimization to true.
If you want to enable asset governance read access, set enable_governance to true.
If you want to add any other policies to the Harness role (maybe you want to enable more actions to be used with asset governance), you can pass them with governance_policy_arn.
Optionally we have included fine-grain policies for autostopping which list out specific IAM actions needed based on your target resource type.
You can set these with enable_autostopping_elb, enable_autostopping_ec2, and enable_autostopping_asg_rds_lambda
When EBS volumes are encrypted using customer-managed keys using KMS, AutoStopping will not be able to start the instances with just the default permissions. Additional permissions are required to enable KMS decryption. To get KMS encrypted volumes to work with AutoStopping, the following changes must be performed:
- Permissions added to IAM Role to allow
kmsactions - Tag KMS Keys - Add a
harness.io/allowForAutoStopping:truetag to the KMS keys
To enable these permissions, set the variable.
| Name | Version |
|---|---|
| aws | >= 4.0 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_external_ids | Additional external ids to allow | list(string) |
[] |
no |
| aws_account_id | Source AWS account ID, this is Harness' AWS account. If using Harness in SMP mode, set your account ID here | string |
"891928451355" |
no |
| enable_autostopping_asg_ecs_rds | Enable AutoStopping permissions for ASG, ECS and RDS | bool |
false |
no |
| enable_autostopping_ec2 | Enable AutoStopping permissions for EC2 | bool |
false |
no |
| enable_autostopping_elb | Enable AutoStopping permissions for ELB | bool |
false |
no |
| enable_billing | Enable AWS Cost Visibility | bool |
false |
no |
| enable_cmk_ebs | Enable CMK KMS permissions for EBS | bool |
false |
no |
| enable_commitment_read | Enable AWS Commitment Orchestrator Read | bool |
false |
no |
| enable_commitment_write | Enable AWS Commitment Orchestrator Write | bool |
false |
no |
| enable_events | Enable AWS Resource Management | bool |
false |
no |
| enable_governance | Enable AWS Asset Governance | bool |
false |
no |
| enable_optimization | Enable AWS Optimization by Auto-Stopping | bool |
false |
no |
| external_id | External ID given in the harness UI: harness:<aws_account_id>: | string |
n/a | yes |
| governance_policy_arns | Policy arns to give role access to enforce governance | list(string) |
[] |
no |
| prefix | A string to add to all resources to add uniqueness | string |
"" |
no |
| s3_bucket_arn | S3 Arn for the bucket that holds your CUR | string |
"" |
no |
| s3_bucket_name | S3 bucket name for the bucket that Harness uses to store and analyze your CUR | string |
"ce-customer-billing-data-prod" |
no |
| secrets | List of secrets that harness should have access to | list(string) |
[] |
no |
| Name | Description |
|---|---|
| cross_account_role | n/a |
| external_id | n/a |