Skip to content

Latest commit

 

History

History

cloudability-bucket-access

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

README.md

Apptio cloudability Object Storage bucket access

This module grants the IBM Cloudability ServiceID access to the bucket containing the billing exports (see Exporting your usage data for continual insights). The module uses iam custom roles so that Apptio cloudability has only the minimum required access to the storage bucket.

The policies are granted directly to the ServiceId

Usage

data "ibm_resource_group" "group" {
  name = "test"
}

module "cloudability_bucket_access" {
  source              = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding//modules/cloudability-bucket-access"
  bucket_crn                    = "crn:v1:bluemix:public:cloud-object-storage:global:a/81ee25188545f05150650a0a4ee015bb:a2deec95-0836-4720-bfc7-ca41c28a8c66:bucket:tf-listbuckettest"
  resource_group_id             = data.ibm_resource_group.group.id
  policy_granularity            = "resource"
  cloudability_iam_custom_role_name = "CloudabilityStorageCustomRole"
}

Required IAM access policies

Requirements

Name Version
terraform >=1.9.0
ibm >= 1.59.0, < 2.0.0

Modules

No modules.

Resources

Name Type
ibm_iam_custom_role.cos_custom_role resource
ibm_iam_service_policy.cos_bucket_policy resource
ibm_iam_service_policy.cos_instance_policy resource
ibm_iam_service_policy.cos_resource_group_policy resource
ibm_iam_roles.cos_custom_role data source

Inputs

Name Description Type Default Required
bucket_crn crn of the Object Storage bucket. Required if policy_granularity is resource or instance string null no
cloudability_iam_custom_role_name Name of the custom role which grants access to the Cloudability service id to read the billing reports from the object storage bucket string "CloudabilityStorageCustomRole" no
policy_granularity Whether access to the Object Storage bucket is controlled at the bucket (resource), cos instance (serviceInstance), or resource-group (resourceGroup). Note: resource_group_id is required in the case of the resourceGroup. bucket_crn is required otherwise. string "resource" no
resource_group_id The resource group that the cos buckets are deployed in. Required if policy_granularity is "resource-group". Not used otherwise. string null no
use_existing_iam_custom_role Whether the iam_custom_roles should be created or if they already exist and they should be linked with a datasource bool false no

Outputs

Name Description
custom_role_display_name Display name of the cos custom role
service_policy The policy granted to the ServiceId