Skip to content

How to use unusd.cloud with Terraform

This guide will walk you through the process of deploying the read-only permissions required by unusd.cloud to your AWS account using Terraform.

Prerequisites

  1. An active unusd.cloud account
  2. Terraform installed on your local machine
  3. AWS CLI configured with appropriate credentials

Step 1: Obtain your Customer ID

  • Log in to the unusd.cloud backstage webapp.
  • Locate your Customer ID in the lower left corner of the interface.
  • Copy this ID; you'll need it for the Terraform configuration.

Step 2: Create Terraform Configuration

Create a new Terraform file (e.g., unusd_cloud_role.tf) and add the following configuration:

Version 0.7 - Updated on 2024-10-06
locals {
    CustomerID = "<PLACEHOLDER_CustomerID>"
}

resource "aws_iam_role" "unusd_spoke_role" {
    name               = "unusd-cloud-spoke-role"
    assume_role_policy = data.aws_iam_policy_document.unusd_policy_assume.json
    tags = {
    SaaS     = "https://unusd.cloud",
    Contact  = "support@unusd.cloud"
    Version  = "0.7"
    }
}

data "aws_iam_policy_document" "unusd_policy" {
    statement {
    effect = "Allow"
    resources = ["*"]
    actions = [
      "account:GetAccountInformation",
      "account:GetContactInformation",
      "account:ListRegions",
      "ce:GetCostAndUsage",
      "ce:GetCostForecast",
      "cloudwatch:GetMetricStatistics",
      "ec2:Describe*",
      "ec2:List*",
      "elasticloadbalancing:DescribeLoadBalancers",
      "elasticloadbalancing:DescribeListeners",
      "elasticloadbalancing:DescribeTags",
      "elasticloadbalancing:DescribeTargetGroups",
      "elasticloadbalancing:DescribeTargetHealth",
      "elasticache:DescribeCacheClusters",
      "es:ListDomainNames",
      "glue:GetDevEndpoints",
      "glue:GetTags",
      "iam:GetAccessKeyLastUsed",
      "iam:GetRole",
      "iam:List*",
      "logs:GetLogEvents",
      "logs:Describe*",
      "logs:List*",
      "pricing:GetProducts",
      "rds:Describe*",
      "rds:List*",
      "redshift:Describe*",
      "redshift:List*",
      "sagemaker:Describe*",
      "sagemaker:List*",
      "secretsmanager:Describe*",
      "secretsmanager:List*",
      "s3:GetBucketTagging",
      "s3:List*",
      "s3:GetObjectTagging",
      "s3:GetObjectAttributes",
      "s3:GetBucketLocation"
        ]
    }
}

data "aws_iam_policy_document" "unusd_policy_assume" {
    statement {
        actions = ["sts:AssumeRole"]
        principals {
            type        = "AWS"
            identifiers = ["arn:aws:iam::398997493752:root"]
        }
    condition {
        test     = "StringEquals"
        variable = "sts:ExternalId"
        values   = ["${local.CustomerID}"]
        }
    }
}

resource "aws_iam_role_policy" "unusd_spoke_role_policy" {
    name   = "unusd_cloud_policy"
    policy = data.aws_iam_policy_document.unusd_policy.json
    role   = aws_iam_role.unusd_spoke_role.id
}

Step 3: Update the CustomerID

Replace the in the locals block with your actual Customer ID from Step 1:

locals {
    CustomerID = "your-actual-customer-id"
}

Step 4: Verify the IAM Role Creation

After successful application, verify that the IAM role has been created in your AWS account. You can do this through the AWS Management Console or using the AWS CLI.

Step 5: Run your first scan

With the IAM Role and associated permissions now in place, you're ready to run your first scan with unusd.cloud.

Conclusion

You have successfully deployed the read-only permissions required by unusd.cloud to your AWS account using Terraform. This role enables unusd.cloud to access the necessary resources in your account to provide its cost optimization and resource management services.

Key points to remember:

  • The created IAM role has strictly read-only permissions
  • Keep your Terraform state files secure, as they may contain sensitive information about your infrastructure
  • You can now proceed with using unusd.cloud's features to optimize your AWS resources and costs

If you encounter any issues or have questions, don't hesitate to contact unusd.cloud support.