Terraform AWS quicksight destination

This Terraform configuration is designed to set up a receiving S3 bucket and optionally enable AWS Cost and Usage Reports (CUR) by configuring the necessary IAM roles and policies. The setup ensures secure storage, replication, and access to your CUR data for analysis in a destination account.

How does it work

First use after you clone this repository or when .pre-commit-config.yaml is updated

Run pre-commit install to install any guardrails implemented using pre-commit.

See pre-commit installation on how to install pre-commit

Usage

Below is an example configuration for using this module with the necessary providers:

provider "aws" {
  profile = "data_collection"
  region  = "eu-central-1"
  alias   = "data_collection"
}

provider "aws" {
  region = "us-east-1"
  alias  = "useast1"
}

module "cur_data_collection_account" {
  source = "./destination/"

  source_account_ids = ["123456789012"] # Change to sending accounts 
  create_cur         = false # Set to true to create an additional CUR in the aggregation account

  providers = {
    aws.useast1 = aws.useast1
  }
}

Example terraform.tfvars

resource_prefix = "TechNative"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
tags = {
  Environment = "Production"
  Owner       = "Finance"
}

s3_access_logging = {
  enabled = true
  bucket  = "my-logging-bucket"
  prefix  = "logs/"
}

source_account_ids = ["123456789012"] # Change to sending accounts
create_cur         = false # Set to true to create an additional CUR in the aggregation account

Troubleshooting

  • Access Denied Errors: Ensure that your AWS credentials have sufficient permissions to create and manage the resources defined in this Terraform configuration.
  • KMS Key Issues: If using KMS encryption, verify that the key exists and that your IAM roles have the correct permissions to use the key.

Requirements

Name Version
terraform >= 1.0
aws >= 3.0

Providers

Name Version
aws >= 3.0
aws.useast1 >= 3.0

Modules

No modules.

Resources

Name Type
aws_cur_report_definition.this resource
aws_s3_bucket.this resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_ownership_controls.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_server_side_encryption_configuration.this resource
aws_s3_bucket_versioning.this resource
aws_caller_identity.this data source
aws_iam_policy_document.bucket_policy data source
aws_partition.this data source
aws_region.this data source

Inputs

Name Description Type Default Required
create_cur Whether to create a local CUR in the destination account or not. Set this to true if the destination account is NOT covered in the CUR of the source accounts bool n/a yes
cur_name_suffix Suffix used to name the local CUR report if create_cur is true string "cur" no
enable_split_cost_allocation_data Enable split cost allocation data for ECS and EKS for this CUR report bool false no
kms_key_id !!!WARNING!!! EXPERIMENTAL - Do not use unless you know what you are doing. The correct key policies and IAM permissions
on the S3 replication role must be configured external to this module.
- If create_cur is true, the "billingreports.amazonaws.com" service must have access to encrypt S3 objects with the key ID provided
- See https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html for information
on permissions required for replicating KMS-encrypted objects
string null no
resource_prefix Prefix used for all named resources, including S3 Bucket string "cid" no
s3_access_logging S3 Access Logging configuration for the CUR bucket
object({
enabled = bool
bucket = string
prefix = string
})
{
"bucket": null,
"enabled": false,
"prefix": null
}
no
source_account_ids List of all source accounts that will replicate CUR Data. Ex: [12345678912,98745612312,...] (fill only on Destination Account) list(string) n/a yes
tags Map of tags to apply to module resources map(string) {} no

Outputs

Name Description
cur_bucket_arn ARN of the S3 Bucket where the Cost and Usage Report is delivered
cur_bucket_name Name of the S3 Bucket where the Cost and Usage Report is delivered
cur_report_arn ARN of the Cost and Usage Report