Merge pull request #8 from BCDevOps/add-cost-and-budget-policy

add policy for cost explorer and budgets access
BCDevOps · Nov 23, 2023 · f47734a · f47734a
2 parents 8503457 + b20b9dd
commit f47734a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/modules/account-sso/README.md b/modules/account-sso/README.md
@@ -22,6 +22,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.bcgov_cost_explorer_and_budgets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.bcgov_perm_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_saml_provider.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |

diff --git a/modules/account-sso/main.tf b/modules/account-sso/main.tf
@@ -39,6 +39,10 @@ resource "aws_iam_role" "role" {
   ]
 }
 EOF
+
+  depends_on = [
+    aws_iam_policy.bcgov_cost_explorer_and_budgets,
+  ]
 }
 
 resource "aws_iam_policy" "bcgov_perm_boundary" {
@@ -153,3 +157,25 @@ resource "aws_iam_policy" "bcgov_perm_boundary" {
     ]
   })
 }
+
+resource "aws_iam_policy" "bcgov_cost_explorer_and_budgets" {
+  name        = "BCGOV_CostExplorerAndBudgets"
+  description = "Give all access to Cost Explorer and Budgets"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "AllowCostExplorer"
+        Effect   = "Allow"
+        Action   = "ce:*"
+        Resource = "*"
+      },
+      {
+        Sid      = "AllowBudgets"
+        Effect   = "Allow"
+        Action   = "budgets:*"
+        Resource = "*"
+      }
+    ]
+  })
+}