A deployable architecture which will fully onboard a standard or enterprise IBM Cloud account to IBM Cloudability.
APACHE-2.0 License
This Deployable Architecture will fully onboard a standard IBM Cloud account or an entire IBM Cloud enterprise to IBM Cloudability. The DA performs the following actions:
❗ Important: This Deployable Architecture solutions is not intended to be called by other modules because it contains a provider configuration and is therefor not compatible with the for_each
, count
, and depends_on
arguments. For more information see Providers Within Modules
You need the following permissions to run this module:
Administrator
platform accessManager
, ObjectReader
service accessEditor
platform accessManager
service accessAdministrator
platform accessViewer
platform accessAdministrator
platform accessName | Version |
---|---|
terraform | >=1.3.0 |
cloudability | 0.0.36 |
ibm | 1.70.0 |
restapi | 1.20.0 |
Name | Source | Version |
---|---|---|
billing_exports | ./modules/billing-exports | n/a |
cloudability_bucket_access | ./modules/cloudability-bucket-access | n/a |
cloudability_enterprise_access | ./modules/cloudability-enterprise-access | n/a |
cloudability_onboarding | ./modules/cloudability-onboarding | n/a |
cos_bucket | ./modules/encrypted_cos_bucket | n/a |
resource_group | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
Name | Type |
---|---|
ibm_enterprises.enterprises | data source |
ibm_iam_account_settings.billing_exports_account | data source |
ibm_iam_auth_token.tokendata | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_tags | A list of access tags to apply to the cos instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | list(string) |
[] |
no |
activity_tracker_crn | Activity tracker crn for COS bucket (Optional) | string |
null |
no |
add_bucket_name_suffix | Add random generated suffix (4 characters long) to the newly provisioned COS bucket name (Optional). | bool |
true |
no |
archive_days | Specifies the number of days when the archive rule action takes effect. Only used if 'create_cos_bucket' is true. This must be set to null when when using var.cross_region_location as archive data is not supported with this feature. | number |
null |
no |
archive_type | Specifies the storage class or archive type to which you want the object to transition. Only used if 'create_cos_bucket' is true. | string |
"Glacier" |
no |
bucket_cbr_rules | (Optional, list) List of CBR rules to create for the bucket | list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) })) | [] |
no |
bucket_name | The name to give the newly provisioned COS bucket. Only required if 'create_cos_bucket' is true. | string |
"apptio-cldy-billing-snapshots" |
no |
bucket_storage_class | the storage class of the newly provisioned COS bucket. Only required if 'create_cos_bucket' is true. Supported values are 'standard', 'vault', 'cold', 'smart' and onerate_active . |
string |
"standard" |
no |
cloudability_api_key | Cloudability API Key. Retrieve your Api Key from https://app.apptio.com/cloudability#/settings/preferences under the section Cloudability API select Enable API which will generate an api key. Setting this value to NULL will skip adding the IBM Cloud account to Cloudability and only configure IBM Cloud so that the IBM Cloud Account can be added to Cloudability manually | string |
null |
no |
cloudability_custom_role_name | name of the custom role created access granted to cloudability service id to read from the billing reports cos bucket | string |
"CloudabilityStorageCustomRole" |
no |
cloudability_enterprise_custom_role_name | name of the custom role to granting access to a cloudability service id to read the enterprise information. Only used of var.is_enterprise_account is set. | string |
"CloudabilityListAccCustomRole" |
no |
cloudability_host | IBM Cloudability host name as described in https://help.apptio.com/en-us/cloudability/api/v3/getting_started_with_the_cloudability.htm#authentication | string |
"api.cloudability.com" |
no |
cos_folder | Folder in the COS bucket to store the account data | string |
"IBMCloud-Billing-Reports" |
no |
cos_instance_name | The name to give the cloud object storage instance that will be provisioned by this module. Only required if 'create_cos_instance' is true. | string |
"ibm-cloudability" |
no |
cos_plan | Plan to be used for creating cloud object storage instance. Only used if 'create_cos_instance' it true. | string |
"standard" |
no |
create_cos_instance | Set as true to create a new Cloud Object Storage instance. | bool |
true |
no |
create_key_protect_instance | Key Protect instance name | bool |
true |
no |
cross_region_location | Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region to null. | string |
null |
no |
enable_billing_exports | Whether billing exports should be enabled | bool |
true |
no |
enable_cloudability_access | Whether to grant cloudability access to read the billing reports | bool |
true |
no |
enterprise_id | Id of the enterprise. Can be automatically retrieved if is_enterprise_account is true |
string |
null |
no |
existing_cos_instance_id | The ID of an existing cloud object storage instance. Required if 'var.create_cos_instance' is false. | string |
null |
no |
existing_kms_instance_guid | The GUID of the Key Protect or Hyper Protect instance in which the key specified in var.kms_key_crn is coming from. Required if var.skip_iam_authorization_policy is false in order to create an IAM Access Policy to allow Key Protect or Hyper Protect to access the newly created COS instance. | string |
null |
no |
expire_days | Specifies the number of days when the expire rule action takes effect. Only used if 'create_cos_bucket' is true. | number |
null |
no |
ibmcloud_api_key | The IBM Cloud API key which will enable billing exports | string |
n/a | yes |
instance_cbr_rules | (Optional, list) List of CBR rules to create for the instance | list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) })) | [] |
no |
is_enterprise_account | Whether billing exports are enabled for the enterprise account | bool |
false |
no |
key_name | Name of the cos bucket encryption key | string |
null |
no |
key_protect_instance_name | Key Protect instance name | string |
"cloudability-bucket-encryption" |
no |
key_ring_name | Name of the key ring to group keys | string |
"bucket-encryption" |
no |
management_endpoint_type_for_bucket | The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct) | string |
"public" |
no |
object_versioning_enabled | Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. Only used if 'create_cos_bucket' is true. | bool |
false |
no |
policy_granularity | Whether access to the cos bucket is controlled at the bucket (resource), cos instance (serviceInstance), or resource-group (resourceGroup). | string |
"resource" |
no |
region | Region where resources will be created | string |
"us-south" |
no |
resource_group_name | The name of an existing resource group to provision resources in to. | string |
"Default" |
no |
resource_tags | Optional list of tags to be added to created resources | list(string) |
[] |
no |
retention_default | Specifies default duration of time an object that can be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true. | number |
90 |
no |
retention_enabled | Retention enabled for COS bucket. Only used if 'create_cos_bucket' is true. | bool |
false |
no |
retention_maximum | Specifies maximum duration of time an object that can be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true. | number |
365 |
no |
retention_minimum | Specifies minimum duration of time an object must be kept unmodified for COS bucket. Only used if 'create_cos_bucket' is true. | number |
1 |
no |
retention_permanent | Specifies a permanent retention status either enable or disable for COS bucket. Only used if 'create_cos_bucket' is true. | bool |
false |
no |
skip_cloudability_billing_policy | Whether policy which grants cloudability access to view the billing service. This may be true if the policy already exists because it was created by a previous run. | bool |
false |
no |
skip_iam_authorization_policy | Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in existing_kms_instance_guid . WARNING: An authorization policy must exist before an encrypted bucket can be created |
bool |
false |
no |
skip_verification | whether to verify the account after adding the account to cloudability. Requires cloudability_auth_header to be set. | bool |
false |
no |
sysdig_crn | Cloud Monitoring crn for COS bucket (Optional) | string |
null |
no |
use_existing_iam_custom_role | Whether the iam_custom_roles should be created or if they already exist and the they should be linked with a datasource | bool |
false |
no |
use_existing_resource_group | Whether the value of resource_group_name input should be a new of existing resource_group |
bool |
true |
no |
Name | Description |
---|---|
bucket_account_cloudability_custom_role_display_name | Display name of the custom role that grants cloudability access to read the billing reports from the cos bucket |
bucket_cbr_rules | COS bucket rules |
bucket_crn | Bucket CRN |
bucket_id | Bucket id |
bucket_name | Bucket name |
bucket_storage_class | Bucket Storage Class |
cbr_rule_ids | List of all rule ids |
cos_instance_guid | The GUID of the Cloud Object Storage Instance where the buckets are created |
cos_instance_id | The ID of the Cloud Object Storage Instance where the buckets are created |
enterprise_account_id | primary account id of the enterprise if is_enterprise_account is enabled |
enterprise_cloudability_custom_role_display_name | Display name of the custom role that grants cloudability access to read the enterprise accounts |
enterprise_id | id of the enterprise if is_enterprise_account is enabled |
instance_cbr_rules | COS instance rules |
key_protect_guid | Key Protect GUID |
key_protect_id | Key Protect service instance ID when an instance is created, otherwise null |
key_protect_instance_policies | Instance Polices of the Key Protect instance |
key_protect_name | Key Protect Name |
key_rings | IDs of new Key Rings created by the module |
keys | IDs of new Keys created by the module |
kms_key_crn | The CRN of the KMS key used to encrypt the COS bucket |
resource_group_id | Resource Group ID |
s3_endpoint_public | S3 public endpoint |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.