Skip to content
/ terraform-aws-finops-costreview-access Public

Terraform module to create an IAM user or cross-account IAM role for external FinOps cost reviews in AWS. Includes examples, optional AWSOrganizations access, CI/CD workflows, and security checks.

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

elastic2ls-com/terraform-aws-finops-costreview-access

BranchesTags

Repository files navigation

Terraform CI License Status Sponsor Contact Terraform Registry OpenTofu Compatible

terraform-aws-finops-costreview-access

Terraform module to create an IAM user or cross-account IAM role for external FinOps cost reviews in an AWS account.

This module is compatible with both Terraform (>=1.3) and OpenTofu (>=1.3).

Features

  • Create IAM user with read-only access for Billing, Cost Explorer, CloudWatch.
  • Create cross-account IAM role with trust policy for a service provider.
  • Optional: attach AWSOrganizationsReadOnlyAccess policy.
  • Flexible naming of user and role, with defaults.
  • Includes examples and CI workflow with security checks.

Usage

IAM User (default mode)

module "finops_access" {
  source      = "github.com/elastic2ls-com/terraform-aws-finops-costreview-access"
  mode        = "iam-user"
  account_id  = "123456789012"
  user_name   = "finops-review-user"
  role_name   = "finops-review-role"
}

Cross-Account Role

module "finops_access" {
  source                      = "github.com/elastic2ls-com/terraform-aws-finops-costreview-access"
  mode                        = "cross-account-role"
  service_provider_account_id = "123456789012"
  service_provider_role_name  = "finops-review-role"
  external_id                 = "your-secure-external-id"     # Optional
  role_name                   = "custom-finops-role"    # Optional, default: 'FinOpsCostReviewRole'
  user_name                   = "custom-finops-user"    # Optional, default: 'finops-review-user' (ignored in this mode)
  attach_organizations_policy = true
}

Security Best Practices

  • Use service_provider_role_name to limit access to a specific role.
  • Set external_id to prevent the confused-deputy problem.
  • Avoid using account root (arn:aws:iam::<account_id>:root) as principal.

Examples

Variables

Name Description Type Default
mode Access mode: 'iam-user' or 'cross-account-role' string "iam-user"
user_name IAM user name (for iam-user mode). Defaults to 'finops-review-user'. string "finops-review-user"
service_provider_account_id AWS account ID of the service provider (for role mode) string ""
role_name IAM role name (for cross-account-role mode). Defaults to 'FinOpsCostReviewRole'. string "FinOpsCostReviewRole"
attach_organizations_policy Whether to attach AWSOrganizationsReadOnlyAccess policy bool false

Outputs

Name Description
user_name IAM user name (if created)
user_arn IAM user ARN (if created)
role_name IAM role name (if created)
role_arn IAM role ARN (if created)

Requirements

  • Terraform ≥ 1.3
  • AWS Provider ≥ 5.0

CI/CD

This module uses GitHub Actions to run:

  • terraform fmt
  • terraform validate
  • terraform plan on examples
  • checkov security scan

License

MIT

Maintainers

elastic2ls

About

Terraform module to create an IAM user or cross-account IAM role for external FinOps cost reviews in AWS. Includes examples, optional AWSOrganizations access, CI/CD workflows, and security checks.

Topics

aws module terraform iam terraform-module cost-management finops cross-account cloud-costs opentofu opentofu-module

Resources

Readme

License

View license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.0.1 Latest
May 12, 2025
+ 1 release

Packages

No packages published

Languages