IBM Cloudability onboarding Deployable Architecture (DA)

This Deployable Architecture will fully onboard a standard IBM Cloud account or an entire IBM Cloud enterprise to IBM Cloudability. The DA performs the following actions:

Creates an encrypted COS bucket to store billing reports
Enables daily Billing Report exports to the COS Bucket
Grants Cloudability access to read the billing reports from the bucket for ingestion
- If the account is an enterprise: Grants cloudability access to read the list of child accounts in the enterprise
- Cloudability access is controlled in a custom role so only the minimum access is given.
Adds the IBM Cloud account/enterprise to IBM Cloudability

❗ Important: This Deployable Architecture solutions is not intended to be called by other modules because it contains a provider configuration and is therefor not compatible with the for_each, count, and depends_on arguments. For more information see Providers Within Modules

Overview

Reference architectures

terraform-ibm-cloudability-onboarding

Required IAM access policies

You need the following permissions to run this module:

IAM services
- Cloud Object Storage service
  - Administrator platform access
  - Manager, ObjectReader service access
- Key Protect service
  - Editor platform access
  - Manager service access
Account management services
- Billing service
  - Administrator platform access
- Enterprise service (only for enterprise accounts)
  - Viewer platform access
- IAM Access Management service (only for enterprise accounts)
  - Administrator platform access

Requirements

Name	Version
terraform	>=1.3.0
cloudability	0.0.36
ibm	1.70.0
restapi	1.20.0

Modules

Name	Source	Version
billing_exports	./modules/billing-exports	n/a
cloudability_bucket_access	./modules/cloudability-bucket-access	n/a
cloudability_enterprise_access	./modules/cloudability-enterprise-access	n/a
cloudability_onboarding	./modules/cloudability-onboarding	n/a
cos_bucket	./modules/encrypted_cos_bucket	n/a
resource_group	terraform-ibm-modules/resource-group/ibm	1.1.6

Resources

Name	Type
ibm_enterprises.enterprises	data source
ibm_iam_account_settings.billing_exports_account	data source
ibm_iam_auth_token.tokendata	data source

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access tags to apply to the cos instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details	`list(string)`	`[]`	no
activity_tracker_crn	Activity tracker crn for COS bucket (Optional)	`string`	`null`	no
add_bucket_name_suffix	Add random generated suffix (4 characters long) to the newly provisioned COS bucket name (Optional).	`bool`	`true`	no
archive_days	Specifies the number of days when the archive rule action takes effect. Only used if 'create_cos_bucket' is true. This must be set to null when when using var.cross_region_location as archive data is not supported with this feature.	`number`	`null`	no
archive_type	Specifies the storage class or archive type to which you want the object to transition. Only used if 'create_cos_bucket' is true.	`string`	`"Glacier"`	no
bucket_cbr_rules	(Optional, list) List of CBR rules to create for the bucket	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	`[]`	no
bucket_name	The name to give the newly provisioned COS bucket. Only required if 'create_cos_bucket' is true.	`string`	`"apptio-cldy-billing-snapshots"`	no
bucket_storage_class	the storage class of the newly provisioned COS bucket. Only required if 'create_cos_bucket' is true. Supported values are 'standard', 'vault', 'cold', 'smart' and `onerate_active`.	`string`	`"standard"`	no
cloudability_api_key	Cloudability API Key. Retrieve your Api Key from https://app.apptio.com/cloudability#/settings/preferences under the section Cloudability API select Enable API which will generate an api key. Setting this value to NULL will skip adding the IBM Cloud account to Cloudability and only configure IBM Cloud so that the IBM Cloud Account can be added to Cloudability manually	`string`	`null`	no
cloudability_custom_role_name	name of the custom role created access granted to cloudability service id to read from the billing reports cos bucket	`string`	`"CloudabilityStorageCustomRole"`	no
cloudability_enterprise_custom_role_name	name of the custom role to granting access to a cloudability service id to read the enterprise information. Only used of var.is_enterprise_account is set.	`string`	`"CloudabilityListAccCustomRole"`	no
cloudability_host	IBM Cloudability host name as described in https://help.apptio.com/en-us/cloudability/api/v3/getting_started_with_the_cloudability.htm#authentication	`string`	`"api.cloudability.com"`	no
cos_folder	Folder in the COS bucket to store the account data	`string`	`"IBMCloud-Billing-Reports"`	no
cos_instance_name	The name to give the cloud object storage instance that will be provisioned by this module. Only required if 'create_cos_instance' is true.	`string`	`"ibm-cloudability"`	no
cos_plan	Plan to be used for creating cloud object storage instance. Only used if 'create_cos_instance' it true.	`string`	`"standard"`	no
create_cos_instance	Set as true to create a new Cloud Object Storage instance.	`bool`	`true`	no
create_key_protect_instance	Key Protect instance name	`bool`	`true`	no
cross_region_location	Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region to null.	`string`	`null`	no
enable_billing_exports	Whether billing exports should be enabled	`bool`	`true`	no
enable_cloudability_access	Whether to grant cloudability access to read the billing reports	`bool`	`true`	no
enterprise_id	Id of the enterprise. Can be automatically retrieved if `is_enterprise_account` is true	`string`	`null`	no
existing_cos_instance_id	The ID of an existing cloud object storage instance. Required if 'var.create_cos_instance' is false.	`string`	`null`	no
existing_kms_instance_guid	The GUID of the Key Protect or Hyper Protect instance in which the key specified in var.kms_key_crn is coming from. Required if var.skip_iam_authorization_policy is false in order to create an IAM Access Policy to allow Key Protect or Hyper Protect to access the newly created COS instance.	`string`	`null`	no
expire_days	Specifies the number of days when the expire rule action takes effect. Only used if 'create_cos_bucket' is true.	`number`	`null`	no
ibmcloud_api_key	The IBM Cloud API key which will enable billing exports	`string`	n/a	yes
instance_cbr_rules	(Optional, list) List of CBR rules to create for the instance	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	`[]`	no
is_enterprise_account	Whether billing exports are enabled for the enterprise account	`bool`	`false`	no
key_name	Name of the cos bucket encryption key	`string`	`null`	no
key_protect_instance_name	Key Protect instance name	`string`	`"cloudability-bucket-encryption"`	no
key_ring_name	Name of the key ring to group keys	`string`	`"bucket-encryption"`	no
management_endpoint_type_for_bucket	The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct)	`string`	`"public"`	no
object_versioning_enabled	Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. Only used if 'create_cos_bucket' is true.	`bool`	`false`	no
policy_granularity	Whether access to the cos bucket is controlled at the bucket (resource), cos instance (serviceInstance), or resource-group (resourceGroup).	`string`	`"resource"`	no
region	Region where resources will be created	`string`	`"us-south"`	no
resource_group_name	The name of an existing resource group to provision resources in to.	`string`	`"Default"`	no
resource_tags	Optional list of tags to be added to created resources	`list(string)`	`[]`	no
retention_default	Specifies default duration of time an object that can be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true.	`number`	`90`	no
retention_enabled	Retention enabled for COS bucket. Only used if 'create_cos_bucket' is true.	`bool`	`false`	no
retention_maximum	Specifies maximum duration of time an object that can be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true.	`number`	`365`	no
retention_minimum	Specifies minimum duration of time an object must be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true.	`number`	`1`	no
retention_permanent	Specifies a permanent retention status either enable or disable for COS bucket. Only used if 'create_cos_bucket' is true.	`bool`	`false`	no
skip_cloudability_billing_policy	Whether policy which grants cloudability access to view the billing service. This may be true if the policy already exists because it was created by a previous run.	`bool`	`false`	no
skip_iam_authorization_policy	Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in `existing_kms_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created	`bool`	`false`	no
skip_verification	whether to verify the account after adding the account to cloudability. Requires cloudability_auth_header to be set.	`bool`	`false`	no
sysdig_crn	Cloud Monitoring crn for COS bucket (Optional)	`string`	`null`	no
use_existing_iam_custom_role	Whether the iam_custom_roles should be created or if they already exist and the they should be linked with a datasource	`bool`	`false`	no
use_existing_resource_group	Whether the value of `resource_group_name` input should be a new of existing resource_group	`bool`	`true`	no

Outputs

Name	Description
bucket_account_cloudability_custom_role_display_name	Display name of the custom role that grants cloudability access to read the billing reports from the cos bucket
bucket_cbr_rules	COS bucket rules
bucket_crn	Bucket CRN
bucket_id	Bucket id
bucket_name	Bucket name
bucket_storage_class	Bucket Storage Class
cbr_rule_ids	List of all rule ids
cos_instance_guid	The GUID of the Cloud Object Storage Instance where the buckets are created
cos_instance_id	The ID of the Cloud Object Storage Instance where the buckets are created
enterprise_account_id	primary account id of the enterprise if `is_enterprise_account` is enabled
enterprise_cloudability_custom_role_display_name	Display name of the custom role that grants cloudability access to read the enterprise accounts
enterprise_id	id of the enterprise if `is_enterprise_account` is enabled
instance_cbr_rules	COS instance rules
key_protect_guid	Key Protect GUID
key_protect_id	Key Protect service instance ID when an instance is created, otherwise null
key_protect_instance_policies	Instance Polices of the Key Protect instance
key_protect_name	Key Protect Name
key_rings	IDs of new Key Rings created by the module
keys	IDs of new Keys created by the module
kms_key_crn	The CRN of the KMS key used to encrypt the COS bucket
resource_group_id	Resource Group ID
s3_endpoint_public	S3 public endpoint