From 5981a046958c4c9503c81147765a49eb31a72609 Mon Sep 17 00:00:00 2001 From: Meraj Kashi Date: Mon, 28 Jul 2025 11:55:27 +0200 Subject: [PATCH] Change the terraform configurations to support as a module --- .github/workflows/tf-test-deployment.yml | 6 +- terraform/cicd-deployment/README.md | 110 +++++++++++++++-------- terraform/cicd-deployment/backend.tf | 10 --- terraform/cicd-deployment/locals.tf | 8 -- terraform/cicd-deployment/main.tf | 2 +- terraform/cicd-deployment/providers.tf | 26 +----- terraform/cicd-deployment/variables.tf | 6 -- terraform/terraform-test/deploy.sh | 4 +- 8 files changed, 80 insertions(+), 92 deletions(-) delete mode 100644 terraform/cicd-deployment/backend.tf diff --git a/.github/workflows/tf-test-deployment.yml b/.github/workflows/tf-test-deployment.yml index 72c4e54e9..d60d63e06 100644 --- a/.github/workflows/tf-test-deployment.yml +++ b/.github/workflows/tf-test-deployment.yml @@ -81,7 +81,7 @@ jobs: } EOF - cat > providers.tf << EOF + cat > versions.tf << EOF provider "aws" { region = "${{ secrets.AWS_REGION_TF }}" } @@ -92,7 +92,7 @@ jobs: } EOF - terraform fmt terraform.tfvars backend.tf providers.tf + terraform fmt terraform.tfvars backend.tf versions.tf terraform init - name: Terraform Format Check @@ -233,7 +233,7 @@ jobs: } EOF - cat > providers.tf << EOF + cat > versions.tf << EOF provider "aws" { region = "${{ secrets.AWS_REGION_TF }}" } diff --git a/terraform/cicd-deployment/README.md b/terraform/cicd-deployment/README.md index 30fb853db..b540d072d 100644 --- a/terraform/cicd-deployment/README.md +++ b/terraform/cicd-deployment/README.md @@ -28,8 +28,47 @@ This architecture follows AWS best practices by separating the Payer account (So ## Quick Start -1. Configure your AWS credentials for both accounts -2. Create a `terraform.tfvars` file with your global values +1. Call the Terraform module using the correct AWS providers: + +```bash +module "cloud-intelligence-dashboard" { + source = "github.com/aws-solutions-library-samples/cloud-intelligence-dashboards-framework//terraform/cicd-deployment?ref=" + + providers = { + aws = aws.payer + aws.destination = aws.destination + } + + global_values = { + destination_account_id = "123456789012" # 12-digit Data Collection account ID + source_account_ids = "987654321098" # Comma-separated list of Payer account IDs + aws_region = "us-east-1" # AWS region for deployment + quicksight_user = "user/example" # QuickSight username + cid_cfn_version = "4.2.7" # CID CloudFormation version - Supporting from 4.2.7 + data_export_version = "0.5.0" # Data Export version + environment = "dev" # Environment (dev, staging, prod) + } + +} + +provider "aws" { + alias = "payer" # optional + region = + assume_role { # optional + role_arn = + } +} + +provider "aws" { + alias = "destination_account" + region = + assume_role { # optional + role_arn = + } +} +``` + +2. Configure AWS credentials for both accounts, or use credentials capable of assuming the IAM role defined in the provider(s). 3. Run the standard Terraform workflow: ```bash @@ -42,7 +81,7 @@ terraform apply ### Required Variables -Configure these values in your `terraform.tfvars` file: +The module expects the following input variables: ```hcl global_values = { @@ -174,38 +213,24 @@ Access the dashboard URLs from the outputs to view your dashboards in QuickSight ## Customization -### Backend Configuration - -The module uses an S3 backend for state storage. Configure your backend in a `backend.tf` file: - -```hcl -terraform { - backend "s3" { - bucket = "your-terraform-state-bucket" - key = "terraform/cid/terraform.tfstate" - region = "us-east-1" # Replace with your desired region - use_lockfile = true # terraform-state-lock - encrypt = true - } -} -``` - ### Provider Configuration -Configure the AWS providers for both accounts in a `provider.tf` file: +The module needs access to both the payer/master and destination accounts to deploy CloudFormation stacks. The configuration below shows a sample providers setup: ```hcl provider "aws" { - region = var.global_values.aws_region - # Payer account credentials + alias = "payer" # optional + region = + assume_role { # optional + role_arn = + } } - + provider "aws" { alias = "destination_account" - region = var.global_values.aws_region - # Data Collection account credentials - assume_role { - role_arn = "arn:aws:iam::${var.global_values.destination_account_id}:role/YourCrossAccountRole" + region = + assume_role { # optional + role_arn = } } ``` @@ -253,7 +278,9 @@ This process allows you to populate your dashboards with historical cost and usa
Can I deploy everything in a single account instead of using cross-account setup? -While the cross-account setup is recommended for production environments, you can deploy the entire solution in your Payer account without requiring a separate Data Collection account. This single-account approach is simpler for testing or development purposes. To do this: +The module is configured by default for cross-account deployment, which is recommended for production environments. +If you prefer to deploy in a single account, you can deploy the entire solution within your payer account, without the need for a separate data collection account. +This single-account setup is simpler and better suited for testing or development purposes. 1. **Modify main.tf**: * Comment out or remove the `resource "aws_cloudformation_stack" "cid_dataexports_source"` block @@ -262,10 +289,10 @@ While the cross-account setup is recommended for production environments, you ca 2. **Modify outputs.tf**: * Remove or comment out the `output "cid_dataexports_source_outputs"` block -3. **Remove the variable from terraform.tfvars**: +3. **Remove the variable**: * Remove or comment out the `cid_dataexports_source` variable block -4. **Update terraform.tfvars**: +4. **Create terraform.tfvars**: ```hcl global_values = { @@ -282,15 +309,20 @@ While the cross-account setup is recommended for production environments, you ca 5. **Simplify provider.tf**: ```hcl - provider "aws" { - region = var.global_values.aws_region - } - - provider "aws" { - alias = "destination_account" - region = var.global_values.aws_region - # No assume_role needed as everything is deployed in the Payer account - } + provider "aws" { + region = + assume_role { # optional + role_arn = + } + } + + provider "aws" { + alias = "destination_account" + region = + assume_role { # optional + role_arn = + } + } ``` This configuration will deploy only the Data Exports Destination Stack and the Cloud Intelligence Dashboards Stack directly in your Payer account, skipping the separate Source Stack that would normally be deployed in a cross-account setup. diff --git a/terraform/cicd-deployment/backend.tf b/terraform/cicd-deployment/backend.tf deleted file mode 100644 index d48a98501..000000000 --- a/terraform/cicd-deployment/backend.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0" - backend "s3" { - bucket = "your-terraform-state-bucket" - key = "cid-dashboard/terraform.tfstate" - region = "eu-west-2" # Replace with your desired region - use_lockfile = true # terraform-state-lock - encrypt = true - } -} diff --git a/terraform/cicd-deployment/locals.tf b/terraform/cicd-deployment/locals.tf index 5d1d22112..b53e34c95 100644 --- a/terraform/cicd-deployment/locals.tf +++ b/terraform/cicd-deployment/locals.tf @@ -1,12 +1,4 @@ locals { - # Get destination_role_arn from TF_VAR environment variable - destination_role_arn = var.destination_role_arn - - # # Create an effective global_values with the potentially overridden destination_role_arn - # effective_global_values = merge(var.global_values, { - # destination_role_arn = local.destination_role_arn != "" ? local.destination_role_arn : var.global_values.destination_role_arn - # }) - # Common CloudFormation template parameters common_template_url_base = "https://aws-managed-cost-intelligence-dashboards.s3.amazonaws.com/cfn" diff --git a/terraform/cicd-deployment/main.tf b/terraform/cicd-deployment/main.tf index 13842f7f7..18f9d5596 100644 --- a/terraform/cicd-deployment/main.tf +++ b/terraform/cicd-deployment/main.tf @@ -129,4 +129,4 @@ resource "aws_cloudformation_stack" "cloud_intelligence_dashboards" { tags ] } -} \ No newline at end of file +} diff --git a/terraform/cicd-deployment/providers.tf b/terraform/cicd-deployment/providers.tf index e84895eee..51ca2d1f0 100644 --- a/terraform/cicd-deployment/providers.tf +++ b/terraform/cicd-deployment/providers.tf @@ -1,29 +1,9 @@ -provider "aws" { - region = var.global_values.aws_region - - default_tags { - tags = local.common_tags - } -} - -provider "aws" { - alias = "destination_account" - region = var.global_values.aws_region - - assume_role { - role_arn = local.destination_role_arn - } - - default_tags { - tags = local.common_tags - } -} - terraform { required_providers { aws = { - source = "hashicorp/aws" - version = "~> 4.0" + source = "hashicorp/aws" + version = "~> 6.0" + configuration_aliases = [aws, aws.destination_account] } } required_version = ">= 1.0.0" diff --git a/terraform/cicd-deployment/variables.tf b/terraform/cicd-deployment/variables.tf index cd136615f..c9dbf4bab 100644 --- a/terraform/cicd-deployment/variables.tf +++ b/terraform/cicd-deployment/variables.tf @@ -265,9 +265,3 @@ variable "global_values" { error_message = "Environment must be one of: dev, staging, prod" } } - -variable "destination_role_arn" { - description = "ARN of the role to assume in the destination account" - type = string - default = null -} diff --git a/terraform/terraform-test/deploy.sh b/terraform/terraform-test/deploy.sh index be2c1671f..1963eb394 100755 --- a/terraform/terraform-test/deploy.sh +++ b/terraform/terraform-test/deploy.sh @@ -91,8 +91,8 @@ EOF fi fi -# Modify provider.tf to use the same account for both providers and set region -cat > "$TEMP_DIR/local_override.tf" << EOF +# Add AWS providers for payer and destination account within th esame region +cat > "$TEMP_DIR/versions.tf" << EOF provider "aws" { region = "${S3_REGION}" }