diff --git a/.github/workflows/tf-test-deployment.yml b/.github/workflows/tf-test-deployment.yml index 72c4e54e..d60d63e0 100644 --- a/.github/workflows/tf-test-deployment.yml +++ b/.github/workflows/tf-test-deployment.yml @@ -81,7 +81,7 @@ jobs: } EOF - cat > providers.tf << EOF + cat > versions.tf << EOF provider "aws" { region = "${{ secrets.AWS_REGION_TF }}" } @@ -92,7 +92,7 @@ jobs: } EOF - terraform fmt terraform.tfvars backend.tf providers.tf + terraform fmt terraform.tfvars backend.tf versions.tf terraform init - name: Terraform Format Check @@ -233,7 +233,7 @@ jobs: } EOF - cat > providers.tf << EOF + cat > versions.tf << EOF provider "aws" { region = "${{ secrets.AWS_REGION_TF }}" } diff --git a/terraform/cicd-deployment/README.md b/terraform/cicd-deployment/README.md index 30fb853d..b540d072 100644 --- a/terraform/cicd-deployment/README.md +++ b/terraform/cicd-deployment/README.md @@ -28,8 +28,47 @@ This architecture follows AWS best practices by separating the Payer account (So ## Quick Start -1. Configure your AWS credentials for both accounts -2. Create a `terraform.tfvars` file with your global values +1. Call the Terraform module using the correct AWS providers: + +```bash +module "cloud-intelligence-dashboard" { + source = "github.com/aws-solutions-library-samples/cloud-intelligence-dashboards-framework//terraform/cicd-deployment?ref=" + + providers = { + aws = aws.payer + aws.destination = aws.destination + } + + global_values = { + destination_account_id = "123456789012" # 12-digit Data Collection account ID + source_account_ids = "987654321098" # Comma-separated list of Payer account IDs + aws_region = "us-east-1" # AWS region for deployment + quicksight_user = "user/example" # QuickSight username + cid_cfn_version = "4.2.7" # CID CloudFormation version - Supporting from 4.2.7 + data_export_version = "0.5.0" # Data Export version + environment = "dev" # Environment (dev, staging, prod) + } + +} + +provider "aws" { + alias = "payer" # optional + region = + assume_role { # optional + role_arn = + } +} + +provider "aws" { + alias = "destination_account" + region = + assume_role { # optional + role_arn = + } +} +``` + +2. Configure AWS credentials for both accounts, or use credentials capable of assuming the IAM role defined in the provider(s). 3. Run the standard Terraform workflow: ```bash @@ -42,7 +81,7 @@ terraform apply ### Required Variables -Configure these values in your `terraform.tfvars` file: +The module expects the following input variables: ```hcl global_values = { @@ -174,38 +213,24 @@ Access the dashboard URLs from the outputs to view your dashboards in QuickSight ## Customization -### Backend Configuration - -The module uses an S3 backend for state storage. Configure your backend in a `backend.tf` file: - -```hcl -terraform { - backend "s3" { - bucket = "your-terraform-state-bucket" - key = "terraform/cid/terraform.tfstate" - region = "us-east-1" # Replace with your desired region - use_lockfile = true # terraform-state-lock - encrypt = true - } -} -``` - ### Provider Configuration -Configure the AWS providers for both accounts in a `provider.tf` file: +The module needs access to both the payer/master and destination accounts to deploy CloudFormation stacks. The configuration below shows a sample providers setup: ```hcl provider "aws" { - region = var.global_values.aws_region - # Payer account credentials + alias = "payer" # optional + region = + assume_role { # optional + role_arn = + } } - + provider "aws" { alias = "destination_account" - region = var.global_values.aws_region - # Data Collection account credentials - assume_role { - role_arn = "arn:aws:iam::${var.global_values.destination_account_id}:role/YourCrossAccountRole" + region = + assume_role { # optional + role_arn = } } ``` @@ -253,7 +278,9 @@ This process allows you to populate your dashboards with historical cost and usa
Can I deploy everything in a single account instead of using cross-account setup? -While the cross-account setup is recommended for production environments, you can deploy the entire solution in your Payer account without requiring a separate Data Collection account. This single-account approach is simpler for testing or development purposes. To do this: +The module is configured by default for cross-account deployment, which is recommended for production environments. +If you prefer to deploy in a single account, you can deploy the entire solution within your payer account, without the need for a separate data collection account. +This single-account setup is simpler and better suited for testing or development purposes. 1. **Modify main.tf**: * Comment out or remove the `resource "aws_cloudformation_stack" "cid_dataexports_source"` block @@ -262,10 +289,10 @@ While the cross-account setup is recommended for production environments, you ca 2. **Modify outputs.tf**: * Remove or comment out the `output "cid_dataexports_source_outputs"` block -3. **Remove the variable from terraform.tfvars**: +3. **Remove the variable**: * Remove or comment out the `cid_dataexports_source` variable block -4. **Update terraform.tfvars**: +4. **Create terraform.tfvars**: ```hcl global_values = { @@ -282,15 +309,20 @@ While the cross-account setup is recommended for production environments, you ca 5. **Simplify provider.tf**: ```hcl - provider "aws" { - region = var.global_values.aws_region - } - - provider "aws" { - alias = "destination_account" - region = var.global_values.aws_region - # No assume_role needed as everything is deployed in the Payer account - } + provider "aws" { + region = + assume_role { # optional + role_arn = + } + } + + provider "aws" { + alias = "destination_account" + region = + assume_role { # optional + role_arn = + } + } ``` This configuration will deploy only the Data Exports Destination Stack and the Cloud Intelligence Dashboards Stack directly in your Payer account, skipping the separate Source Stack that would normally be deployed in a cross-account setup. diff --git a/terraform/cicd-deployment/backend.tf b/terraform/cicd-deployment/backend.tf deleted file mode 100644 index d48a9850..00000000 --- a/terraform/cicd-deployment/backend.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0" - backend "s3" { - bucket = "your-terraform-state-bucket" - key = "cid-dashboard/terraform.tfstate" - region = "eu-west-2" # Replace with your desired region - use_lockfile = true # terraform-state-lock - encrypt = true - } -} diff --git a/terraform/cicd-deployment/locals.tf b/terraform/cicd-deployment/locals.tf index 5d1d2211..b53e34c9 100644 --- a/terraform/cicd-deployment/locals.tf +++ b/terraform/cicd-deployment/locals.tf @@ -1,12 +1,4 @@ locals { - # Get destination_role_arn from TF_VAR environment variable - destination_role_arn = var.destination_role_arn - - # # Create an effective global_values with the potentially overridden destination_role_arn - # effective_global_values = merge(var.global_values, { - # destination_role_arn = local.destination_role_arn != "" ? local.destination_role_arn : var.global_values.destination_role_arn - # }) - # Common CloudFormation template parameters common_template_url_base = "https://aws-managed-cost-intelligence-dashboards.s3.amazonaws.com/cfn" diff --git a/terraform/cicd-deployment/main.tf b/terraform/cicd-deployment/main.tf index 13842f7f..18f9d559 100644 --- a/terraform/cicd-deployment/main.tf +++ b/terraform/cicd-deployment/main.tf @@ -129,4 +129,4 @@ resource "aws_cloudformation_stack" "cloud_intelligence_dashboards" { tags ] } -} \ No newline at end of file +} diff --git a/terraform/cicd-deployment/providers.tf b/terraform/cicd-deployment/providers.tf index e84895ee..51ca2d1f 100644 --- a/terraform/cicd-deployment/providers.tf +++ b/terraform/cicd-deployment/providers.tf @@ -1,29 +1,9 @@ -provider "aws" { - region = var.global_values.aws_region - - default_tags { - tags = local.common_tags - } -} - -provider "aws" { - alias = "destination_account" - region = var.global_values.aws_region - - assume_role { - role_arn = local.destination_role_arn - } - - default_tags { - tags = local.common_tags - } -} - terraform { required_providers { aws = { - source = "hashicorp/aws" - version = "~> 4.0" + source = "hashicorp/aws" + version = "~> 6.0" + configuration_aliases = [aws, aws.destination_account] } } required_version = ">= 1.0.0" diff --git a/terraform/cicd-deployment/variables.tf b/terraform/cicd-deployment/variables.tf index cd136615..c9dbf4ba 100644 --- a/terraform/cicd-deployment/variables.tf +++ b/terraform/cicd-deployment/variables.tf @@ -265,9 +265,3 @@ variable "global_values" { error_message = "Environment must be one of: dev, staging, prod" } } - -variable "destination_role_arn" { - description = "ARN of the role to assume in the destination account" - type = string - default = null -} diff --git a/terraform/terraform-test/deploy.sh b/terraform/terraform-test/deploy.sh index be2c1671..1963eb39 100755 --- a/terraform/terraform-test/deploy.sh +++ b/terraform/terraform-test/deploy.sh @@ -91,8 +91,8 @@ EOF fi fi -# Modify provider.tf to use the same account for both providers and set region -cat > "$TEMP_DIR/local_override.tf" << EOF +# Add AWS providers for payer and destination account within th esame region +cat > "$TEMP_DIR/versions.tf" << EOF provider "aws" { region = "${S3_REGION}" }