AWS
Accounts in AWS are usually structured via organizations. In this case you will have a single master/payer account where all account cost is rolled into. If you do not use organizations then you will need to repeat this process for every account with billing information that you want ingested into Harness.
Whenever you add a new payer account to Harness it may take up to 24 hours for cost data to appear.
Payer Account
The first step is to create a CUR (Cost Usage Report) in the payer account. Once the CUR is created, we will need to create a role that has access to the S3 bucket that the CUR resides in. This role will have a trust policy that allows Harness to assume the role and copy the CUR data to an S3 bucket in Harness' AWS account for data ingestion.
There is a CloudFormation template or Terraform module to provision this role. The CloudFormation stack is located here, and the Terraform module here.
For both the template and the module there are inputs you must specify for your setup:
- S3 Bucket: This is the bucket in your payer account where your CUR resides
- External ID: This is extra information used when Harness assumes your AWS role to further verify the identity
- The recommended format for the external id is
harness:<harness' aws account id>:<your harness account id>
- Harness' AWS account id is
891928451355
- You can retrieve your Harness account id from the account settings page in Harness, you can optionally use any random string
- The recommended format for the external id is
- Role name: The name of the AWS IAM role provisioned that will be granted access to the S3 bucket, and allow assumption from Harness
- Enable billing: This provisions a policy that allows the role to access the S3 bucket given for the CUR data
- See the
HarnessBillingMonitoringPolicy
in the template for the exact permissions included and modify as necessary.
- See the
- (beta) Enable commitment read: (required for commitment orchestrator) This provisions a policy that gives access to read RI and savings plan data
- See the
HarnessCommitmentReadPolicy
in the template for the exact permissions included and modify as necessary.
- See the
- (beta) Enable commitment write: (required for commitment orchestrator to make purchases) This provisions a policy that gives access to purchase RI and savings plans
- See the
HarnessCommitmentWritePolicy
in the template for the exact permissions included and modify as necessary.
- See the
For the rest of the feature enablement inputs you should set these as false (disabled) in your payer account, because it is unlikely that you will have workloads running inside the payer account.
module "ccm" {
source = "harness-community/harness-ccm/aws"
version = "0.1.1"
s3_bucket_arn = "arn:aws:s3:::harness-ccm"
external_id = "harness:012345678901:wlgELJ0TTre5aZhzpt8gVA"
enable_billing = true
enable_commitment_read = true
enable_commitment_write = true
}
Enabling EC2 recommendations for all accounts at once is possible by navigating to Compute Optimizer and opting in member accounts. Opt in member accounts for Compute Optimizer.
You may need to adjust the S3 bucket policy to allow the newly created Harness IAM role to read objects in the bucket.
Harness CCM AWS Connector
Now that the CUR and role have been created in the payer account we need to create a corresponding CCM AWS connector in your Harness account to start billing data ingestion.
You can create this connector through the UI or via the API with a tool like Terraform. Using Terraform is the recommended approach and there is a Harness Terraform provider here.
To configure the connector you will need the following information:
- Account ID: The AWS account id for your payer account
- Cross account role ARN: The ARN for the IAM role that was created in your payer account via the template/module that has access to read the S3 bucket
- Cross account role external ID: This is the same external ID you specified in the template/module when you created the role.
- S3 bucket: The name (not ARN) of the S3 bucket where the CUR is located
- Report name: The name (not ARN) of the CUR in the payer account
- Features enabled: The CCM features that you want to use in this account
- At minimum this should be
BILLING
for the payer account
- At minimum this should be
resource "harness_platform_connector_awscc" "payer" {
identifier = "payer"
name = "payer"
account_id = "012345678901"
report_name = "harnessccm"
s3_bucket = "harnessccm"
features_enabled = [
"BILLING",
]
cross_account_access {
role_arn = "arn:aws:iam::012345678901:role/HarnessCERole"
external_id = "harness:867530900000:myharnessaccountid"
}
}