first commit

Author: Steven Nemetz

.circleci/config.yml

@@ -0,0 +1,69 @@
+version: 2
+
+jobs:
+  build:
+    docker:
+      - image: hashicorp/terraform:0.11.3
+        entrypoint: /bin/sh
+    steps:
+      - checkout
+      - run:
+          name: "Validate tf files (terraform validate)"
+          command: |
+              find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate -check-variables=false "$m" && echo "√ $m") || exit 1 ; done
+      - run:
+          name: "Check: Terraform formatting (terraform fmt)"
+          command: |
+              if [ `terraform fmt --list=true -diff=true -write=false | tee format-issues | wc -c` -ne 0 ]; then
+                echo "Some terraform files need be formatted, run 'terraform fmt' to fix"
+                echo "Formatting issues:"
+                cat format-issues
+                exit 1
+              fi
+      - run:
+          name: "Install: tflint"
+          command: |
+              apk add jq wget
+              # Get latest version of tflint
+              pkg_arch=linux_amd64
+              dl_url=$(curl -s https://api.github.com/repos/wata727/tflint/releases/latest | jq -r ".assets[] | select(.name | test(\"${pkg_arch}\")) | .browser_download_url")
+              wget ${dl_url}
+              unzip tflint_linux_amd64.zip
+              mkdir -p /usr/local/tflint/bin
+              # Setup PATH for later run steps - ONLY for Bash and not in Bash
+              #echo 'export PATH=/usr/local/tflint/bin:$PATH' >> $BASH_ENV
+              echo "Installing tflint..."
+              install tflint /usr/local/tflint/bin
+              echo "Configuring tflint..."
+              tf_ver=$(terraform version | awk 'FNR <= 1' | cut -dv -f2)
+              echo -e "\tConfig for terraform version: ${tf_ver}"
+              if [ -f '.tflint.hcl' ]; then
+                sed -i "/terraform_version =/s/\".*\"/\"${tf_ver}\"/" .tflint.hcl
+              else
+                {
+                echo -e "config {\nterraform_version = \"${tf_ver}\"\ndeep_check = true\nignore_module = {"
+                for module in $(grep -h '[^a-zA-Z]source[ =]' *.tf | sed -r 's/.*=\s+//' | sort -u); do
+                  # if not ^"../
+                  echo "${module} = true"
+                done
+                echo "}}"
+                } > .tflint.hcl
+                fi
+              echo "tflint configuration:"
+              cat .tflint.hcl
+      - run:
+          # Not supporting modules from registry ?? v0.5.4
+          # For now, must ignore in config file
+          name: "Check: tflint"
+          command: |
+              #echo "Initializing terraform..."
+              #terraform init -input=false
+              echo "Running tflint..."
+              /usr/local/tflint/bin/tflint --version
+              /usr/local/tflint/bin/tflint
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - build

.gitignore

@@ -0,0 +1,3 @@
+*.tfstate
+*.tfstate.backup
+.terraform

README.md

@@ -0,0 +1,13 @@
+# terraform-aws-budget
+
+Terraform module to setup AWS budgets and notifications
+
+This is fairly specific for now. It can create budgets for multiple linked accounts. Each with it's own limit.
+Notification is only supported for a single email address
+
+NOTE: Setting up notification and subscribers is not currently supported in Terraform
+
+Notifications are predefined in this module. They are:
+- 110% of forecasted
+- 80% of actual
+- 90% of actual

bugs-to-report.txt

@@ -0,0 +1,10 @@
+Issues budgets resource:
+
+Why start date required? AWS doc says it is optional and has rules of how it is created when not provided
+Work around: Calculate start of month and provide
+
+When account id is not provided get "Account min size is 12". Appears provider is not providing it properly
+Work around: provide account id
+
+Issue with changing budget name. This should force the budget to be recreated. AWS doesn't allow changing the name
+Current generates error: Failed to call UpdateBudget - Unable to get budget: BUDGET_NEW_NAME - the budget doesn't exist.

examples/README.md

@@ -0,0 +1,4 @@
+
+# Example and manual test cases
+
+Each directory contains a configuration that serves as a manual test case and an example

examples/cost-account-annually/README.md

@@ -0,0 +1 @@
+# Example: Annually account budgets

examples/cost-account-annually/main.tf

@@ -0,0 +1,7 @@
+
+module "budgets" {
+  source    = "../../"
+  budgets   = "${var.budgets}"
+  email     = "snemetz@wiser.com"
+  time_unit = "ANNUALLY"
+}

examples/cost-account-annually/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = "${var.region}"
+
+  # Make it faster by skipping something
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+}

examples/cost-account-annually/variables.tf

@@ -0,0 +1,29 @@
+variable "environment" {
+  default = "test"
+}
+
+variable "region" {
+  default = "us-west-2"
+}
+
+variable "budgets" {
+  description = "List of account budget maps. Each map contains: name (name of budget), account (AWS linked account ID), and limit (budget limit)"
+
+  default = [
+    {
+      name    = "acc-1"
+      account = "123456789011"
+      limit   = 100
+    },
+    {
+      name    = "acc-2"
+      account = "123456789012"
+      limit   = 200
+    },
+    {
+      name    = "acc-3"
+      account = "123456789013"
+      limit   = 300
+    },
+  ]
+}

examples/cost-account-quarterly/README.md

@@ -0,0 +1 @@
+# Example: Quarterly account budgets

examples/cost-account-quarterly/main.tf

@@ -0,0 +1,7 @@
+
+module "budgets" {
+  source    = "../../"
+  budgets   = "${var.budgets}"
+  email     = "snemetz@wiser.com"
+  time_unit = "QUARTERLY"
+}

examples/cost-account-quarterly/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = "${var.region}"
+
+  # Make it faster by skipping something
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+}

examples/cost-account-quarterly/variables.tf

@@ -0,0 +1,29 @@
+variable "environment" {
+  default = "test"
+}
+
+variable "region" {
+  default = "us-west-2"
+}
+
+variable "budgets" {
+  description = "List of account budget maps. Each map contains: name (name of budget), account (AWS linked account ID), and limit (budget limit)"
+
+  default = [
+    {
+      name    = "acc-1"
+      account = "123456789011"
+      limit   = 100
+    },
+    {
+      name    = "acc-2"
+      account = "123456789012"
+      limit   = 200
+    },
+    {
+      name    = "acc-3"
+      account = "123456789013"
+      limit   = 300
+    },
+  ]
+}

files/sns_policy.json

@@ -0,0 +1,25 @@
+{
+  "Id": "MyBudgetPolicy",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Mystatementid",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "budgets.amazonaws.com"
+      },
+      "Action": [
+        "SNS:Publish",
+        "SNS:RemovePermission",
+        "SNS:SetTopicAttributes",
+        "SNS:DeleteTopic",
+        "SNS:ListSubscriptionsByTopic",
+        "SNS:GetTopicAttributes",
+        "SNS:Receive",
+        "SNS:AddPermission",
+        "SNS:Subscribe"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

files/sns_template.json

@@ -0,0 +1,45 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Best Practice SNS Topic",
+  "Parameters": {
+    "SNSTopic": {
+      "Type": "String",
+      "Description": "The ARN of the SNS topic"
+    },
+    "SubscriptionEndPoint": {
+      "Type": "String",
+      "Description": "The endpoint that receives notifications from the Amazon SNS topic. The endpoint value depends on the protocol that you specify. This could be a URL or ARN"
+    },
+    "SubscriptionProtocol": {
+      "Type": "String",
+      "Description": "The subscription's protocol",
+      "AllowedValues": [
+        "http",
+        "https",
+        "email",
+        "email-json",
+        "sms",
+        "sqs",
+        "application",
+        "lambda"
+      ],
+      "Default": "email"
+    }
+  },
+  "Resources": {
+    "SNSSubscription": {
+      "Type": "AWS::SNS::Subscription",
+      "Properties": {
+        "Endpoint": {
+          "Ref": "SubscriptionEndPoint"
+        },
+        "Protocol": {
+          "Ref": "SubscriptionProtocol"
+        },
+        "TopicArn": {
+          "Ref": "SNSTopic"
+        }
+      }
+    }
+  }
+}

main.tf

@@ -0,0 +1,68 @@
+data "aws_caller_identity" "current" {}
+
+# Activate tags for cost allocation tracking
+# Must be done by master account
+
+# https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_budgets_CostTypes.html
+#
+/*
+# This is future work for single budget that can set most things
+locals {
+  cost_filters = {
+    AZ = {
+      AZ = ""
+    }
+    LinkedAccount = {
+      LinkedAccount = "${join(",", var.account_ids)}"
+    }
+    Operation = {
+      Operation = ""
+    }
+    PurchaseType = {
+      PurchaseType = ""
+    }
+    Service = {
+      Service = ""
+    }
+    TagKeyValue = {
+      TagKeyValue = "Stack$$${var.service}"
+    }
+    UsageType = {
+      UsageType = ""
+    }
+  }
+}
+/**/
+resource "aws_budgets_budget" "budgets" {
+  count       = "${length(var.budgets)}"
+  account_id  = "${data.aws_caller_identity.current.account_id}"
+  name        = "${var.budget_name_prefix}${lookup(var.budgets[count.index], "name")}-${title(lower(var.time_unit))}"
+  budget_type = "${var.budget_type}"
+  limit_unit  = "${var.limit_unit}"
+  time_unit   = "${var.time_unit}"
+
+  limit_amount = "${var.time_unit == "ANNUALLY" ?
+    lookup(var.budgets[count.index], "limit", "100") * 12 :
+    var.time_unit == "QUARTERLY" ?
+      lookup(var.budgets[count.index], "limit", "100") * 3 :
+      lookup(var.budgets[count.index], "limit", "100")
+  }"
+
+  time_period_start = "${var.time_unit == "ANNUALLY" ?
+    "${substr(timestamp(), 0, 5)}01-01_00:00" :
+    var.time_unit == "QUARTERLY" ?
+      "${substr(timestamp(), 0, 5)}${format("%02d", (substr(timestamp(), 5, 2) - 1) / 3 * 3 + 1)}-01_00:00" :
+      "${substr(timestamp(), 0, 8)}01_00:00"
+  }"
+
+  cost_filters = {
+    LinkedAccount = "${lookup(var.budgets[count.index], "account")}"
+  }
+
+  lifecycle {
+    ignore_changes = ["time_period_start"]
+  }
+}
+
+# Attributes: id
+