terraform resources for the Cost Explorer Service

[b-b3rn4rd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS provides a dedicated set of APIs for managing AWS Cost Explorer.
https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/Welcome.html

I'm finding it would be handy to be able to provision some of those resource using terraform particularly I'm interested in https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CreateAnomalyMonitor.html

New or Affected Resource(s)

• aws_cost_explorer_create_anomaly_monitor

Potential Terraform Configuration

resource " aws_cost_explorer_create_anomaly_monitor" "anomaly_spending" {
  monitor_name = "unexpected-aws-charges"
  monitor_type = "DIMENSIONAL"
  monitor_specification = <<EOF
{ 
         "And": [ 
            "Expression"
         ],
         "CostCategories": { 
            "Key": "string",
            "MatchOptions": [ "string" ],
            "Values": [ "string" ]
         },
         "Dimensions": { 
            "Key": "string",
            "MatchOptions": [ "string" ],
            "Values": [ "string" ]
         },
         "Not": "Expression",
         "Or": [ 
            "Expression"
         ],
         "Tags": { 
            "Key": "string",
            "MatchOptions": [ "string" ],
            "Values": [ "string" ]
         }
      },
      "MonitorType": "string"
}
EOF
}

References

• https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CreateAnomalyMonitor.html

[borgoat]

Also interested in this, I could work on the implementation!

I'd have a few points to discuss before working on it though:

• The "Cost Explorer" API is named simply ce in the CLI, SDKs, and the endpoint. Similarly to how the "Cost and Usage Report" is referred to as cur. Therefore, I believe we should use aws_ce_* as prefix to the resources.
• I would call this resource aws_ce_anomaly_monitor since the call to Create/Update actions is more of an implementation detail to Terraform than the name of the actual resource.
• I believe we should create an aws_ce_anomaly_subscription based on ce:CreateAnomalySubscription since that's very needed to make use of an Anomaly Monitor.
• Finally, I'm not sure what the structure should be for the monitor_specification field: the Expression object is a generic object that is also for example used in the ce:CreateCostCategoryDefinition action; and I guess in the future it may be used for other Cost Explorer actions too. I wonder if we should create a "datasource" à la aws_iam_policy_document?

[sshvetsov]

Looks like CloudFormation support for Anomaly Monitor (AWS::CE::AnomalyMonitor) and Anomaly Subscription (AWS::CE::AnomalySubscription) is about to go live. Providing documentation links in case they're helpful in crafting relevant Terraform resources.

In case triage team missed it, here's an old request to support Cost Categories (another Cost Explorer service): #12801.

[sshvetsov]

Here's updated description for this feature request, with focus on Cost Anomaly Detection.

Description

AWS has announced General Availability of AWS Cost Anomaly Detection on Dec. 16, 2020.

AWS Cost Anomaly Detection uses a multi-layered machine learning model that learns your unique, historic spend patterns to detect one-time cost spike and/or continuous cost increases, without you having to define your thresholds. Every anomaly detected will be available in the detection history tab. We send you the anomaly detection report with root-cause analysis. And the service also comes at no cost to our customers

Basically, it's a rare FREE AWS service that can alert users about anomalies in their infrastructure costs, making it an extremely useful service for anyone operating infrastructure on AWS.

New or Affected Resource(s)

• aws_ce_anomaly_monitor
• aws_ce_anomaly_subscription

Potential Terraform Configuration

Simple example:

resource "aws_ce_anomaly_monitor" "service_monitor" {
  name      = "AWSServiceMonitor"
  type      = "DIMENSIONAL"
  dimension = "SERVICE"
}

resource "aws_ce_anomaly_subscription" "anomaly_subscription" {
  name      = "DailyAnomalySubscription"
  threshold = 100
  frequency = "DAILY"

  monitor_arn_list = [
    aws_ce_anomaly_subscription.anomaly_subscription.arn,
  ]

  subscribers = [
    {
      type    = "EMAIL"
      address = "abc@example.com"
    }
  ]
}

Complex example:

resource "aws_ce_anomaly_monitor" "linked_account_monitor" {
  name = "LinkedAccountMonitor"
  type = "CUSTOM"

  specification = <<JSON
{
    "Dimensions": {
        "Key": "LINKED_ACCOUNT",
        "Values": [
            "123456789012",
            "123456789013"
        ]
    }
}
  JSON
}

resource "aws_sns_topic" "cost_anomaly_updates" {
  name = "CostAnomalyUpdates"
}

data "aws_iam_policy_document" "sns_topic_policy" {
  policy_id = "__default_policy_ID"

  statement {
    sid = "AWSAnomalyDetectionSNSPublishingPermissions"

    actions = [
      "SNS:Publish",
    ]

    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["costalerts.amazonaws.com"]
    }

    resources = [
      aws_sns_topic.cost_anomaly_updates.arn,
    ]
  }

  statement {
    sid = "__default_statement_ID"

    actions = [
      "SNS:Subscribe",
      "SNS:SetTopicAttributes",
      "SNS:RemovePermission",
      "SNS:Receive",
      "SNS:Publish",
      "SNS:ListSubscriptionsByTopic",
      "SNS:GetTopicAttributes",
      "SNS:DeleteTopic",
      "SNS:AddPermission",
    ]

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceOwner"

      values = [
        var.account-id,
      ]
    }

    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    resources = [
      aws_sns_topic.cost_anomaly_updates.arn,
    ]
  }
}

resource "aws_sns_topic_policy" "default" {
  arn = aws_sns_topic.cost_anomaly_updates.arn

  policy = data.aws_iam_policy_document.sns_topic_policy.json
}

resource "aws_ce_anomaly_subscription" "realtime_subscription" {
  name      = "RealtimeAnomalySubscription"
  threshold = 0
  frequency = "IMMEDIATE"

  monitor_arn_list = [
    aws_ce_anomaly_subscription.anomaly_subscription.arn,
  ]

  subscribers = [
    {
      type    = "SNS"
      address = aws_sns_topic.cost_anomaly_updates.arn
    }
  ]

  depends_on = [
    aws_sns_topic_policy.default,
  ]
}

References

• https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-ad.html
• https://aws.amazon.com/blogs/aws-cost-management/announcing-general-availability-of-aws-cost-anomaly-detection/
• https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalyMonitor.html
• https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CreateAnomalyMonitor.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ce-anomalymonitor.html
• https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalySubscription.html
• https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CreateAnomalySubscription.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ce-anomalysubscription.html

[udayanms]

Any planned date for this. I certainly need this.

[stobias123]

Bump. This would be great, especially since tag based cost anomaly detection is now available.

[williamcodes]

Yes, I would love to have this as well.

[headincl0ud]

Be patient :) I started working on it.

[breathingdust]

Related #12801

[mathewmoon]

💯 On this. Thanks for getting this rolling. @headincl0ud Is the a projection on what release/date this could arrive?

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[zhelding]

Hi folks! #25177 and #25224 have added support for aws_ce_anomaly_monitor and aws_ce_anomaly_subscription resources respectively. I believe this resolves this issue.

Special thanks to @brittandeyoung for his PRs! 👏🏻 And thank you to everyone in this thread for contributing to the discussion around these resources.

If there are any additional resources desired beyond those proposed by this issue: please open a new issue detailing the resource and your potential use case.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.