feat: reworking the module (#37)

Author: gambol99

…orkflows/terraform-module-validation.yml .github/workflows/terraform.yml.github/workflows/terraform-module-validation.yml renamed to .github/workflows/terraform.yml .github/workflows/terraform-module-validation.yml renamed to .github/workflows/terraform.yml

@@ -1,3 +1,4 @@
+---
 name: Terraform
 on:
   push:
@@ -6,7 +7,6 @@ on:
   pull_request:
     branches:
       - main
-      - vnext
 
 permissions:
   contents: read

README.md

@@ -8,11 +8,38 @@
 
 # Appvia Support Roles
 
-This repository provides a collection of sub modules used to provision the appropriate support roles and permissions with accounts. Please take a look at the examples folder for samples of how to implement.
+This repository provides a collection of Terraform sub-modules used to provision the appropriate support roles and permissions within your AWS accounts. Each module is independently deployable and scoped to a specific support function.
+
+## Modules
+
+### [LZA Support](modules/lza/README.md)
+
+Deploys into your **AWS management account** (where Control Tower and the Landing Zone Accelerator pipeline run). It provisions a cross-account IAM role that Appvia's support team can assume to monitor and troubleshoot the LZA deployment.
+
+Key resources:
+- `AppviaLZASupportRole` — cross-account role with a trust policy scoped to Appvia's SSO role
+- `AppviaLZASupportPolicy` — grants view and trigger access to CodePipeline, CloudFormation, CodeBuild, and CodeCommit
+- `AppviaCostAnalysisSupportPolicy` *(optional)* — grants read access to Cost Explorer, Billing, and Cost Optimization Hub; enabled via `enable_cost_analysis_support = true`
+
+→ [Module README](modules/lza/README.md) · [Example](examples/lza-support/README.md)
+
+---
+
+### [Cost Analysis Support](modules/costanalysis/README.md)
+
+Deploys into your **AWS Cost Analysis account** (where CUDOS dashboards and CUR data are hosted). It provisions a cross-account IAM role that Appvia's team can assume to support the CUDOS platform and cost reporting tooling.
+
+Key resources:
+- `AppviaCostAnalysisSupportRole` — cross-account role with a trust policy scoped to Appvia's SSO role
+- `AppviaCudosSupportPolicy` — grants access to QuickSight, Athena, Glue, S3 (CID/CUDOS buckets), Step Functions, Lambda, and CloudWatch Logs
+
+→ [Module README](modules/costanalysis/README.md) · [Example](examples/cost-analysis-support/README.md)
+
+---
 
 ## Deployment
 
-View the examples directory for a sample deployment.
+See the [examples](examples/) directory for sample deployments of each module.
 
 <!-- BEGIN_TF_DOCS -->
 ## Providers

examples/cost-analysis-support/.terraform.lock.hcl

@@ -1,10 +1,22 @@
 # Example: AWS Cost Analysis Support
 
-This example demonstrates how to deploy the AWS Cost Analysis support resources using Terraform in your AWS Cost Analysis Account.
+This example demonstrates how to deploy the AWS Cost Analysis support resources using Terraform in your **AWS Cost Analysis account** (where CUDOS dashboards and CUR data are hosted).
+
+The module provisions the following:
+
+- **`AppviaCostAnalysisSupportRole`** — a cross-account IAM role that Appvia's team can assume (via a trust policy scoped to Appvia's SSO role in account `148761643183`) to support the CUDOS platform and cost reporting tooling.
+- **`AppviaCudosSupportPolicy`** — a customer-managed IAM policy granting access to:
+  - **QuickSight** — view and manage analyses, dashboards, datasets, and data sources
+  - **Athena** — full access for running CID/CUDOS queries
+  - **Glue** — read access and the ability to update tables used by the dashboards
+  - **S3** — list and read access to `cid-*`, `cudos-dashboard-*`, and `aws-athena-query-results-cid-*` buckets, plus write access for Athena query results
+  - **Step Functions** — view and trigger executions for CUDOS data refresh workflows
+  - **Lambda** — read access to functions used by CID/CUDOS
+  - **CloudWatch Logs** — read access to `/aws/lambda/CID-DC*` log groups and CloudWatch alarms
 
 ## Deployment
 
-1. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
+1. Copy the `terraform.tfvars.sample` file to `terraform.tfvars` and update with your values.
 2. Run `terraform init -upgrade`
 3. Run `terraform plan -out=tfplan`
 4. Run `terraform apply tfplan`
@@ -18,27 +30,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
 
 <!-- BEGIN_TF_DOCS -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
-
 ## Providers
 
 No providers.
 
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_appvia_cost_analysis_support_role"></a> [appvia\_cost\_analysis\_support\_role](#module\_appvia\_cost\_analysis\_support\_role) | ../../modules/costanalysis | n/a |
-
-## Resources
-
-No resources.
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -51,4 +46,3 @@ No resources.
 |------|-------------|
 | <a name="output_appvia_cost_analysis_support_role_arn"></a> [appvia\_cost\_analysis\_support\_role\_arn](#output\_appvia\_cost\_analysis\_support\_role\_arn) | The name of the Cost Analysis Support IAM role to be assumed by the Appvia support team |
 <!-- END_TF_DOCS -->
-

examples/cost-analysis-support/README.md

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = ">= 6.0.0"
     }
   }
 }

examples/cost-analysis-support/terraform.tf

@@ -2,9 +2,17 @@
 
 This example demonstrates how to deploy the AWS Landing Zone Accelerator (LZA) support resources using Terraform in your AWS Management Account where Control Tower is configured.
 
+The module provisions the following in your management account:
+
+- **`AppviaLZASupportRole`** — an IAM role that Appvia's support team can assume (via a cross-account trust policy) to manage and troubleshoot the LZA pipeline. It grants read access to CodePipeline, CloudFormation, CodeBuild, and CodeCommit, with the ability to trigger the `AWSAccelerator-Pipeline`, and limited write access to the `aws-accelerator-config` CodeCommit repository.
+- **`AppviaLZASupportPolicy`** — a customer-managed IAM policy attached to the support role containing the above permissions.
+- **`AppviaCostAnalysisSupportPolicy`** *(optional)* — an additional policy attached to the support role granting read access to Cost Explorer, AWS Billing, Cost Optimization Hub, and Carbon Footprint data. Enabled via `enable_cost_analysis_support = true`.
+
+The trust policy on the support role allows assumption only from a specific Appvia-managed IAM role in the Appvia AWS account (`755035180280` by default), scoped to an SSO role ARN.
+
 ## Deployment
 
-1. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
+1. Copy the `terraform.tfvars.sample` file to `terraform.tfvars` and update with your values.
 2. Run `terraform init -upgrade`
 3. Run `terraform plan -out=tfplan`
 4. Run `terraform apply tfplan`
@@ -18,39 +26,21 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
 
 <!-- BEGIN_TF_DOCS -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
-
 ## Providers
 
 No providers.
 
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_appvia_lza_support_role"></a> [appvia\_lza\_support\_role](#module\_appvia\_lza\_support\_role) | ../../modules/lza | n/a |
-
-## Resources
-
-No resources.
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_enable_cost_analysis_support"></a> [enable\_cost\_analysis\_support](#input\_enable\_cost\_analysis\_support) | Enable the creation of the finops role in the customer account | `bool` | `false` | no |
+| <a name="input_enable_cost_analysis_support"></a> [enable\_cost\_analysis\_support](#input\_enable\_cost\_analysis\_support) | Enable the creation of the finops role in the customer account | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_appvia_cost_analysis_support_role_arn"></a> [appvia\_cost\_analysis\_support\_role\_arn](#output\_appvia\_cost\_analysis\_support\_role\_arn) | The ARN of the IAM role to be assumed by the support team for cost analysis |
 | <a name="output_appvia_landing_zone_support_role_arn"></a> [appvia\_landing\_zone\_support\_role\_arn](#output\_appvia\_landing\_zone\_support\_role\_arn) | The name of the Landing Zone Support IAM role to be assumed by the Appvia support team |
 <!-- END_TF_DOCS -->
 

examples/lza-support/.terraform.lock.hcl

@@ -2,8 +2,3 @@ output "appvia_landing_zone_support_role_arn" {
   description = "The name of the Landing Zone Support IAM role to be assumed by the Appvia support team"
   value       = module.appvia_lza_support_role.landing_support_role_arn
 }
-
-output "appvia_cost_analysis_support_role_arn" {
-  description = "The ARN of the IAM role to be assumed by the support team for cost analysis"
-  value       = module.appvia_lza_support_role.cost_analysis_support_role_arn
-}

examples/lza-support/README.md

@@ -1,12 +1,10 @@
 terraform {
   required_version = ">= 1.0"
 
-  backend "s3" {}
-
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = ">= 6.0.0"
     }
   }
 }

examples/lza-support/outputs.tf

@@ -1,7 +1,7 @@
 variable "enable_cost_analysis_support" {
   description = "Enable the creation of the finops role in the customer account"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "tags" {