This guide will walk you through the process of deploying the read-only permissions required by unusd.cloud to your AWS account using Terraform.
Prerequisites
- An active unusd.cloud account
- Terraform installed on your local machine
- AWS CLI configured with appropriate credentials
Step 1: Obtain your Customer ID
- Log in to the unusd.cloud backstage webapp.
- Locate your Customer ID in the lower left corner of the interface.
- Copy this ID; you'll need it for the Terraform configuration.
Create a new Terraform file (e.g., unusd_cloud_role.tf) and add the following configuration:
| Version 0.7 - Updated on 2024-10-06 |
|---|
| locals {
CustomerID = "<PLACEHOLDER_CustomerID>"
}
resource "aws_iam_role" "unusd_spoke_role" {
name = "unusd-cloud-spoke-role"
assume_role_policy = data.aws_iam_policy_document.unusd_policy_assume.json
tags = {
SaaS = "https://unusd.cloud",
Contact = "support@unusd.cloud"
Version = "0.7"
}
}
data "aws_iam_policy_document" "unusd_policy" {
statement {
effect = "Allow"
resources = ["*"]
actions = [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"cloudwatch:GetMetricStatistics",
"ec2:Describe*",
"ec2:List*",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticache:DescribeCacheClusters",
"es:ListDomainNames",
"glue:GetDevEndpoints",
"glue:GetTags",
"iam:GetAccessKeyLastUsed",
"iam:GetRole",
"iam:List*",
"logs:Describe*",
"logs:List*",
"pricing:GetProducts",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"redshift:List*",
"sagemaker:Describe*",
"sagemaker:List*",
"secretsmanager:Describe*",
"secretsmanager:List*",
"s3:GetBucketTagging",
"s3:List*",
"s3:GetObjectTagging",
"s3:GetObjectAttributes",
"s3:GetBucketLocation"
]
}
}
data "aws_iam_policy_document" "unusd_policy_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::398997493752:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = ["${local.CustomerID}"]
}
}
}
resource "aws_iam_role_policy" "unusd_spoke_role_policy" {
name = "unusd_cloud_policy"
policy = data.aws_iam_policy_document.unusd_policy.json
role = aws_iam_role.unusd_spoke_role.id
}
|
Step 3: Update the CustomerID
Replace the in the locals block with your actual Customer ID from Step 1:
locals {
CustomerID = "your-actual-customer-id"
}
Step 4: Verify the IAM Role Creation
After successful application, verify that the IAM role has been created in your AWS account. You can do this through the AWS Management Console or using the AWS CLI.
Step 5: Run your first scan
With the IAM Role and associated permissions now in place, you're ready to run your first scan with unusd.cloud.
Conclusion
You have successfully deployed the read-only permissions required by unusd.cloud to your AWS account using Terraform. This role enables unusd.cloud to access the necessary resources in your account to provide its cost optimization and resource management services.
Key points to remember:
- The created IAM role has strictly read-only permissions
- Keep your Terraform state files secure, as they may contain sensitive information about your infrastructure
- You can now proceed with using unusd.cloud's features to optimize your AWS resources and costs
If you encounter any issues or have questions, don't hesitate to contact unusd.cloud support.