SMPROD-17327: ADD Private Billing Module

README.md

@@ -1,12 +1,13 @@
 # AWS Cloudwatch Metrics Integration with Sysdig Monitor Terraform Module
 
-This Terraform module integrates AWS Cloudwatch with Sysdig Monitor, enabling users to directly consume AWS Cloudwatch metrics within Sysdig Monitor.
+This Terraform module integrates AWS Cloudwatch with Sysdig Monitor, enabling users to directly consume AWS Cloudwatch metrics within Sysdig Monitor and Private Billing functionalities.
 
 ## Usage
 
 There are several ways to integrate AWS Cloudwatch Metrics with Sysdig Monitor.
 - **[`/examples`](https://github.com/sysdiglabs/terraform-aws-monitor-for-cloud/tree/master/examples)** for the most common scenarios
   - [Cloudwatch Metrics Stream Single Account](https://github.com/sysdiglabs/terraform-aws-monitor-for-cloud/tree/master/examples/cloudwatch-metrics-stream-single-account/)
+  - [Private Billing Single Account](https://github.com/sysdiglabs/terraform-aws-monitor-for-cloud/tree/master/examples/private-billing-single-account/)
 
 <br/>
 
@@ -96,6 +97,33 @@ Precise AWS resources may vary depending on module configuration but in general,
 * aws_kinesis_firehose_delivery_stream.sysdig_metric_kinesis_firehose
 * aws_s3_bucket.sysdig_stream_backup_bucket
 
+
+### AWS Resources Created for the AWS Private Billing Integration
+Precise AWS resources may vary depending on module configuration but in general, the following AWS resources are created as part of the AWS Private Billing Integration.
+
+* aws_s3_bucket.sysdig_curs3_bucket
+* aws_s3_bucket_policy.sysdig_cur_bucket_policy
+* aws_cur_report_definition.sysdig_created_cur
+* aws_glue_catalog_database.aws_cur_database
+* aws_lakeformation_permissions.sysdig_db_permissions
+* aws_athena_workgroup.athena_workgroup
+* aws_glue_crawler.cur_crawler
+* aws_lambda_function.cur_initializer
+* aws_lambda_permission.s3_cur_event_lambda
+* aws_lambda_function.s3_cur_notification
+* aws_glue_catalog_table.cur_report_status_table
+* sysdig_monitor_cloud_account.assume_role_cloud_account
+* aws_iam_role.cur_crawler_component_function
+* aws_iam_role_policy.cur_crawler_inline_policy
+* aws_iam_role_policy.cur_kms_decryption_inline_policy
+* aws_iam_role.cur_crawler_lambda_executor
+* aws_iam_role_policy.cur_crawler_lambda_executor_inline_policy
+* aws_iam_role.s3_cur_lambda_executor
+* aws_iam_policy.s3_cur_lambda_executor_policy
+* aws_iam_role.private_billing_role
+* aws_iam_policy.spot_feed_policy
+* aws_iam_policy.sysdig_cost_athena_access_policy
+
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).

examples/private-billing-single-account/README.md

@@ -0,0 +1,128 @@
+# Sysdig Monitor for Cloud in AWS<br/>[ Example :: Private Billing Single Account ]
+
+Deploy Private Billing feature in a single AWS account.<br/>
+All the required resources and workloads will be run under the same account.
+
+
+### Notice
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-monitor-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+![diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-monitor-for-cloud/main/examples/private-billing-single-account/diagram.png)
+
+## Prerequisites
+
+Minimum requirements:
+
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+2. Monitor requirements, as input variable value
+    ```
+    sysdig_monitor_api_token=<Sysdig API Key>
+    sysdig_aws_account_id=<Sysdig AWS accountId>
+    sysdig_external_id=<Sysdig external ID>
+    ```
+
+
+## Usage
+
+For quick testing, use this snippet on your terraform files
+
+```terraform
+terraform {
+    required_providers {
+        sysdig = {
+            source = "sysdiglabs/sysdig"
+            version = ">= 1.41.0"
+        }
+    }
+}
+
+provider "aws" {
+   region = "<AWS-REGION>"
+}
+
+provider "sysdig" {
+   sysdig_monitor_url = "https://<sysdig-endpoint>"
+   sysdig_monitor_api_token = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+module "billing_module" {
+    source = "sysdiglabs/terraform-aws-monitor-for-cloud/examples/private-billing-single-account"
+
+    s3_bucket_name = "billing-bucket-test"
+    s3_bucket_prefix = "billing-data"
+    s3_athena_bucket_prefix = "athena-cur-query-results"
+    sysdig_cost_access_role_name = "test-MonitoringRole"
+    create_new_role = true
+    sysdig_aws_account_id = "xxxx-xxxx-xxxx"
+    sysdig_external_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+See [inputs summary](#inputs) or module module [`variables.tf`](https://github.com/sysdiglabs/terraform-aws-monitor-for-cloud/blob/master/examples/private-billing-single-account/variables.tf) file for more optional configuration.
+
+To run this example you need have your [aws account profile configured in CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) and to execute:
+```terraform
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.41.0 |
+
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_private_billing"></a> [private\_billing](#module\_private\_billing) | ../../modules/private-billing | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [sysdig_monitor_cloud_account.current](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/monitor_cloud_account) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+|<a name="s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of S3 bucket where Cost and Usage data will be generated | `string` | ` ` | yes |
+|<a name="s3_bucket_prefix"></a> [s3\_bucket\_prefix](#input\_s3\_bucket\_prefix) | Prefix of CUR files inside S3 bucket | `string` | `billing-data` | yes |
+|<a name="s3_athena_bucket_prefix"></a> [s3\_athena\_bucket\_prefix](#input\_s3\_athena\_bucket\_prefix) | Prefix of Athena results inside S3 bucket | `string` | `athena-cur-query-results` | yes |
+|<a name="sysdig_cost_access_role_name"></a> [sysdig\_cost\_access\_role\_name](#input\_sysdig\_cost\_access\_role_name) | Name of role which will be granted permissions to access cost and billing data | `string` | `SysdigBillingIntegrationMonitoringRole` | yes |
+|<a name="create_new_role"></a> [create\_new\_role](#input\_create\_new\_role) | Whether the role above already exists or should be created from scratch | `boolean` | false | yes |
+|<a name="sysdig_aws_account_id"></a> [sysdig\_aws\_account\_id](#input\_sysdig\_aws\_account\_id) | AWS account used by Sysdig | `string` | ` ` | yes |
+|<a name="sysdig_external_id"></a> [sysdig\_external\_id](#input\_sysdig\_external\_id) | ExternalID used by Sysdig when assuming role | `string` | ` ` | yes |
+|<a name="spot_data_feed_bucket_name"></a> [spot\_data\_feed\_bucket\_name](#input\_spot\_data\_feed\_bucket\_name) | The bucket where the spot data feed is sent from the “Setting up the Spot Data feed” step | `string` | ` ` | no |
+|<a name="sysdig_cost_report_file_name"></a> [sysdig\_cost\_report\_file\_name](#input\_sysdig\_cost\_report\_file\_name) | Name of the report file that will be generated by the AWS billing service | `string` | `sysdig_aws_private_billing` | no |
+|<a name="sysdig_cost_crawler_name_suffix"></a> [sysdig\_cost\_crawler\_name\_suffix](#input\_sysdig\_cost\_crawler\_name\_suffix) | Name Suffix of the AWS Glue Crawler that will be created to crawl the CUR data | `string` | `sysdig_aws_private_billing` | no |
+|<a name="tags"></a> [tags](#input\_tags) | Map of tags to apply to resources | `string map` | ` ` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_monitoring_role_name"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Name of the role which could be used to monitor cloudwatch metric stream |
+| <a name="athena_bucket_name"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Name of the S3 bucket where the Athena query results are stored |
+| <a name="athena_database_name"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Prefix of the S3 bucket where the Athena query results are stored |
+| <a name="athena_region"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Region where the Athena query results are stored |
+| <a name="athena_table_name"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Name of the Athena table |
+| <a name="athena_workgroup_name"></a> [monitoring\_role\_name](#output\_monitoring\_role\_name) | Name of the Athena workgroup |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+
+## Authors
+
+Module is maintained and supported by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

examples/private-billing-single-account/data.tf

@@ -0,0 +1,3 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "me" {}
+data "aws_partition" "current" {}

examples/private-billing-single-account/main.tf

@@ -0,0 +1,18 @@
+#-------------------------------------
+# private billing
+#-------------------------------------
+
+module "private_billing" {
+    source = "../../modules/private-billing"
+    s3_bucket_name = var.s3_bucket_name
+    s3_bucket_prefix = var.s3_bucket_prefix
+    s3_athena_bucket_prefix = var.s3_athena_bucket_prefix
+    sysdig_cost_access_role_name = var.sysdig_cost_access_role_name
+    create_new_role = var.create_new_role
+    sysdig_aws_account_id = var.sysdig_aws_account_id
+    sysdig_external_id = var.sysdig_external_id
+    spot_data_feed_bucket_name = var.spot_data_feed_bucket_name
+    sysdig_cost_report_file_name = var.sysdig_cost_report_file_name
+    sysdig_cost_crawler_name_suffix = var.sysdig_cost_crawler_name_suffix
+    tags = var.tags
+}

examples/private-billing-single-account/variables.tf

@@ -0,0 +1,77 @@
+variable "s3_bucket_name" {
+    description = "Name of S3 bucket where Cost and Usage data will be generated"
+    type        = string
+    default     = ""
+    validation {
+        condition     = length(var.s3_bucket_name) > 0
+        error_message = "The s3-bucket-name is required."
+    }
+}
+
+variable "s3_bucket_prefix" {
+    description = "Prefix of CUR files inside S3 bucket"
+    type        = string
+    default     = "billing-data"
+    validation {
+        condition     = length(var.s3_bucket_prefix) > 0
+        error_message = "The s3_bucket_prefix is required."
+    }
+}
+
+variable "s3_athena_bucket_prefix" {
+    description = "Prefix of Athena results inside S3 bucket"
+    type        = string
+    default     = "athena-cur-query-results"
+    validation {
+        condition     = length(var.s3_athena_bucket_prefix) > 0
+        error_message = "The s3_athena_bucket_prefix is required."
+    }
+}
+
+variable "sysdig_cost_access_role_name" {
+    description = "Name of role which will be granted permissions to access cost and billing data"
+    type        = string
+    default     = "SysdigCloudwatchIntegrationMonitoringRole"
+}
+
+variable "create_new_role" {
+    description = "Whether the role above already exists or should be created from scratch"
+    type        = bool
+    default     = false
+}
+
+variable "sysdig_aws_account_id" {
+    description = "AWS account used by Sysdig"
+    type        = string
+    default     = ""
+}
+
+variable "sysdig_external_id" {
+    description = "ExternalID used by Sysdig when assuming role"
+    type        = string
+    default     = ""
+}
+
+variable "spot_data_feed_bucket_name" {
+    description = "The bucket where the spot data feed is sent from the “Setting up the Spot Data feed” step"
+    type        = string
+    default     = ""
+}
+
+variable "sysdig_cost_report_file_name" {
+    description = "Name of the report file that will be generated by the AWS billing service"
+    type        = string
+    default     = "sysdig_aws_private_billing"
+}
+
+variable "sysdig_cost_crawler_name_suffix" {
+    description = "Name Suffix of the AWS Glue Crawler that will be created to crawl the CUR data"
+    type        = string
+    default     = "sysdig_aws_private_billing"
+}
+
+variable "tags" {
+    description = "Map of tags to apply to resources"
+    type        = map(string)
+    default     = {}
+}

examples/private-billing-single-account/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    sysdig = {
+      source = "sysdiglabs/sysdig"
+      version = ">= 1.41.0"
+    }
+    aws = {
+      version = ">= 5.7.0"
+    }
+  }
+}