The latest articles on DEV Community by Rafael Ribeiro (@rribeiro1). https://dev.to/rribeiro1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F123053%2F0ff88403-9705-429e-81fd-1ed78189dba3.jpg https://dev.to/rribeiro1 en Rafael Ribeiro Fri, 31 Jul 2020 19:59:42 +0000 https://dev.to/rribeiro1/budgets-alarms-for-aws-accounts-and-services-using-terraform-4lmf https://dev.to/rribeiro1/budgets-alarms-for-aws-accounts-and-services-using-terraform-4lmf <p>Who never had a surprise when checking the billing panel from Amazon, google, or another cloud provider? It happened with me, a couple of times actually, and I am sure it happens with you as well as in your organization 😅</p> <h2> Common problems and motivations 💸 </h2> <p>It’s not rare that we sometimes think service would cost X and it ends up costing 2X in the final of the month, sometimes we also create resources manually for experimentations and forget to clean them up, on the other hand, it is not healthy to access the budgets panel every day to check whether the costs are okay or not, so the best way to avoid surprises at the end of the month would be automating this process and creating some sort of alarms when something is wrong.</p> <p>Is this post we are going to create a process to keep track of our budgets in AWS by defining a threshold in the account level as well as by services. When the threshold is reached we are going to receive an alert via email (Slack users can use the <a href="https://slack.com/apps/A0F81496D-email">Email Slack App</a> so that they can receive the email in a specific channel).</p> <h2> Prerequisites </h2> <p>This guide assumes some basic familiarity with the usual Terraform workflow (init, plan, and apply). It also assumes that you have your terraform and AWS provider properly configured.</p> <h2> Implementation Scenario </h2> <p>Using AWS Billings it is possible to keep track of costs using a lot of approaches, for instance, resource tags where we can filter costs by a specific business or teams, resource names using amazon services names, etc. It is also possible to set alarms for forecast values or current values.</p> <p>Let's say that we have a <code>development account</code> in AWS and we usually use two services: <code>EC2</code> and <code>S3</code> which costs $ 15/month.</p> <ul> <li> <strong>EC2:</strong> $ 10,00 </li> <li> <strong>S3:</strong> $ 5,00</li> </ul> <p>We also want to reserve $ 5,00 in the account for eventual costs, in the end, what we need to achieve is:</p> <p>Receive an alert when:</p> <ul> <li>Forecast amount for the <code>Development account</code> is <code>greater than 20,00</code> </li> <li>Forecast amount for <code>EC2</code> is <code>greater than 10,00</code> </li> <li>Forecast amount for <code>S3</code> is <code>greater than 5,00</code> </li> </ul> <p>After implementing the module in terraform, we are going to use it like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"billing_alarm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./../../modules/budgets"</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="s2">"Development"</span> <span class="nx">account_budget_limit</span> <span class="p">=</span> <span class="s2">"20.0"</span> <span class="nx">services</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EC2</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">budget_limit</span> <span class="p">=</span> <span class="s2">"10.0"</span> <span class="p">},</span> <span class="nx">S3</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">budget_limit</span> <span class="p">=</span> <span class="s2">"5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Before Starting </h2> <p>If you in a hurry, you can find this module ready to use <a href="https://registry.terraform.io/modules/rribeiro1/budget-alarms/aws/0.0.2">here</a></p> <h2> Terraform Module Structure </h2> <p>Let’s get started by creating a terraform module so that we can reuse in cases where we have more than one account, our folder's structure will be something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">.</span> ├── accounts │   └── development │   ├── budgets.tf │   └── provider.tf <span class="c"># not configured in this post </span> │   └── modules    └── budgets       ├── main.tf      ├── services.tf        └── variables.tf </code></pre> </div> <h4> Input Variables </h4> <p>First, create the directory <code>modules/budgets</code> and the file <code>variables.tf</code>, it will have input variables for our module:</p> <ul> <li> <strong>Account name:</strong> Name of the AWS account to be tracked.</li> <li> <strong>Account budget limit:</strong> Threshold cost for the account level.</li> <li> <strong>Services:</strong> List of AWS services to be tracked, we need to inform the name and values for each service. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/budgets/variables.tf</span> <span class="k">variable</span> <span class="s2">"account_name"</span> <span class="p">{}</span> <span class="k">variable</span> <span class="s2">"account_budget_limit"</span> <span class="p">{}</span> <span class="k">variable</span> <span class="s2">"services"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of AWS services to be monitored in terms of costs"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">budget_limit</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">}</span> </code></pre> </div> <h4> Services Helper </h4> <p>The name of the service should match the name AWS expects otherwise the filter will not work properly, thus, we can create a support map to define some common services (if the service you want is not listed here you can add it later), in the same folder create a new a file called <code>services.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/budgets/services.tf</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">aws_services</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Athena</span> <span class="p">=</span> <span class="s2">"Amazon Athena"</span> <span class="nx">EC2</span> <span class="p">=</span> <span class="s2">"Amazon Elastic Compute Cloud - Compute"</span> <span class="nx">ECR</span> <span class="p">=</span> <span class="s2">"Amazon EC2 Container Registry (ECR)"</span> <span class="nx">ECS</span> <span class="p">=</span> <span class="s2">"Amazon EC2 Container Service"</span> <span class="nx">Kubernetes</span> <span class="p">=</span> <span class="s2">"Amazon Elastic Container Service for Kubernetes"</span> <span class="nx">EBS</span> <span class="p">=</span> <span class="s2">"Amazon Elastic Block Store"</span> <span class="nx">CloudFront</span> <span class="p">=</span> <span class="s2">"Amazon CloudFront"</span> <span class="nx">CloudTrail</span> <span class="p">=</span> <span class="s2">"AWS CloudTrail"</span> <span class="nx">CloudWatch</span> <span class="p">=</span> <span class="s2">"AmazonCloudWatch"</span> <span class="nx">Cognito</span> <span class="p">=</span> <span class="s2">"Amazon Cognito"</span> <span class="nx">Config</span> <span class="p">=</span> <span class="s2">"AWS Config"</span> <span class="nx">DynamoDB</span> <span class="p">=</span> <span class="s2">"Amazon DynamoDB"</span> <span class="nx">DMS</span> <span class="p">=</span> <span class="s2">"AWS Database Migration Service"</span> <span class="nx">ElastiCache</span> <span class="p">=</span> <span class="s2">"Amazon ElastiCache"</span> <span class="nx">Elasticsearch</span> <span class="p">=</span> <span class="s2">"Amazon Elasticsearch Service"</span> <span class="nx">ELB</span> <span class="p">=</span> <span class="s2">"Amazon Elastic Load Balancing"</span> <span class="nx">Gateway</span> <span class="p">=</span> <span class="s2">"Amazon API Gateway"</span> <span class="nx">Glue</span> <span class="p">=</span> <span class="s2">"AWS Glue"</span> <span class="nx">Kafka</span> <span class="p">=</span> <span class="s2">"Managed Streaming for Apache Kafka"</span> <span class="nx">KMS</span> <span class="p">=</span> <span class="s2">"AWS Key Management Service"</span> <span class="nx">Kinesis</span> <span class="p">=</span> <span class="s2">"Amazon Kinesis"</span> <span class="nx">Lambda</span> <span class="p">=</span> <span class="s2">"AWS Lambda"</span> <span class="nx">Lex</span> <span class="p">=</span> <span class="s2">"Amazon Lex"</span> <span class="nx">Matillion</span> <span class="p">=</span> <span class="s2">"Matillion ETL for Amazon Redshift"</span> <span class="nx">Pinpoint</span> <span class="p">=</span> <span class="s2">"AWS Pinpoint"</span> <span class="nx">Polly</span> <span class="p">=</span> <span class="s2">"Amazon Polly"</span> <span class="nx">Rekognition</span> <span class="p">=</span> <span class="s2">"Amazon Rekognition"</span> <span class="nx">RDS</span> <span class="p">=</span> <span class="s2">"Amazon Relational Database Service"</span> <span class="nx">Redshift</span> <span class="p">=</span> <span class="s2">"Amazon Redshift"</span> <span class="nx">S3</span> <span class="p">=</span> <span class="s2">"Amazon Simple Storage Service"</span> <span class="nx">SFTP</span> <span class="p">=</span> <span class="s2">"AWS Transfer for SFTP"</span> <span class="nx">Route53</span> <span class="p">=</span> <span class="s2">"Amazon Route 53"</span> <span class="nx">SageMaker</span> <span class="p">=</span> <span class="s2">"Amazon SageMaker"</span> <span class="nx">SecretsManager</span> <span class="p">=</span> <span class="s2">"AWS Secrets Manager"</span> <span class="nx">SES</span> <span class="p">=</span> <span class="s2">"Amazon Simple Email Service"</span> <span class="nx">SNS</span> <span class="p">=</span> <span class="s2">"Amazon Simple Notification Service"</span> <span class="nx">SQS</span> <span class="p">=</span> <span class="s2">"Amazon Simple Queue Service"</span> <span class="nx">Tax</span> <span class="p">=</span> <span class="s2">"Tax"</span> <span class="nx">VPC</span> <span class="p">=</span> <span class="s2">"Amazon Virtual Private Cloud"</span> <span class="nx">WAF</span> <span class="p">=</span> <span class="s2">"AWS WAF"</span> <span class="nx">XRay</span> <span class="p">=</span> <span class="s2">"AWS X-Ray"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, we can implement the budgets module, let's start by creating an SNS topic so that when an alarm is triggered, it will send a message in this topic and everyone subscribed in this topic will receive the message, in our case, it will be an email, we will get into that later.</p> <h4> Budget Module </h4> <p>Here we are creating a new topic and defining a policy that allows AWS budgets to Publish Message.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/budgets/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_sns_topic"</span> <span class="s2">"account_billing_alarm_topic"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"account-billing-alarm-topic"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_sns_topic_policy"</span> <span class="s2">"account_billing_alarm_policy"</span> <span class="p">{</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">sns_topic_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"sns_topic_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AWSBudgetsSNSPublishingPermissions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"SNS:Receive"</span><span class="p">,</span> <span class="s2">"SNS:Publish"</span> <span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"budgets.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Once we have a topic, we can create a budget resource for the account level and subscribe to the topic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/budgets/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_budgets_budget"</span> <span class="s2">"budget_account"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">account_name</span><span class="k">}</span><span class="s2"> Account Monthly Budget"</span> <span class="nx">budget_type</span> <span class="p">=</span> <span class="s2">"COST"</span> <span class="nx">limit_amount</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">account_budget_limit</span> <span class="nx">limit_unit</span> <span class="p">=</span> <span class="s2">"USD"</span> <span class="nx">time_unit</span> <span class="p">=</span> <span class="s2">"MONTHLY"</span> <span class="nx">time_period_start</span> <span class="p">=</span> <span class="s2">"2020-01-01_00:00"</span> <span class="nx">notification</span> <span class="p">{</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GREATER_THAN"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">threshold_type</span> <span class="p">=</span> <span class="s2">"PERCENTAGE"</span> <span class="nx">notification_type</span> <span class="p">=</span> <span class="s2">"FORECASTED"</span> <span class="nx">subscriber_sns_topic_arns</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The last resource will be the budgets for services, it will receive a list of services and create a budget for each one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/budgets/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_budgets_budget"</span> <span class="s2">"budget_resources"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">services</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">account_name</span><span class="k">}</span><span class="s2"> </span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2"> Monthly Budget"</span> <span class="nx">budget_type</span> <span class="p">=</span> <span class="s2">"COST"</span> <span class="nx">limit_amount</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">budget_limit</span> <span class="nx">limit_unit</span> <span class="p">=</span> <span class="s2">"USD"</span> <span class="nx">time_unit</span> <span class="p">=</span> <span class="s2">"MONTHLY"</span> <span class="nx">time_period_start</span> <span class="p">=</span> <span class="s2">"2020-01-01_00:00"</span> <span class="nx">cost_filters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">aws_services</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">)</span> <span class="p">}</span> <span class="nx">notification</span> <span class="p">{</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GREATER_THAN"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">threshold_type</span> <span class="p">=</span> <span class="s2">"PERCENTAGE"</span> <span class="nx">notification_type</span> <span class="p">=</span> <span class="s2">"FORECASTED"</span> <span class="nx">subscriber_sns_topic_arns</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">account_billing_alarm_topic</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The module is complete, now we can easily reuse in our amazon accounts, to do so, create a <code>budgets.tf</code> in the account folder and import the module, like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># accounts/development/budgets.tf</span> <span class="k">module</span> <span class="s2">"billing_alarm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/budgets"</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="s2">"Development"</span> <span class="nx">account_budget_limit</span> <span class="p">=</span> <span class="s2">"20.0"</span> <span class="nx">services</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EC2</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">budget_limit</span> <span class="p">=</span> <span class="s2">"10.0"</span> <span class="p">},</span> <span class="nx">S3</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">budget_limit</span> <span class="p">=</span> <span class="s2">"5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To deploy this infrastructure, go to the development folder and type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform init <span class="nv">$ </span>terraform plan <span class="c"># After check the plan command we can apply </span> <span class="nv">$ </span>terraform apply </code></pre> </div> <p>After applying you should have the budgets as shown below:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--IhGvzB-c--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/budgets.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--IhGvzB-c--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/budgets.png" alt="budgets.png" width="880" height="342"></a></p> <p>And the SNS topic:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MvGzy0dc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/sns-topic.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MvGzy0dc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/sns-topic.png" alt="sns-topic.png" width="880" height="160"></a></p> <p>The last step is to subscribe to this topic via Email app in Slack or any email.</p> <h2> Slack or Email Integration </h2> <p>If you have a slack paid plan, you can use the <a href="https://slack.com/apps/A0F81496D-email">Email Slack App</a> integration, it provides a custom email to be used in the slack channel, thus, every email that is sent to this account will appear in the channel.</p> <p>I don't have a pro slack plan, so for simplicity, I will use my email for it, however, the process would be the same using the email integration app. </p> <p><strong>Note:</strong> This part of the process is not supported by Terraform, so we are going to do it manually. </p> <h3> Subscribing the email to the topic </h3> <p>Go to SNS panel in AWS and select <code>Subscriptions</code> and create a new subscription by choosing the topic that was created in the previous step and in Protocol chose <strong>email</strong>, after creating the subscription you should receive an email from AWS SNS.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1EAofh7L--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/subscription.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1EAofh7L--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://rafaelribeiro.io/assets/public/subscription.png" alt="subscription.png" width="880" height="423"></a></p> <p>From now on, every time you hit a threshold you will receive an email notification like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Budget Notification May 04, 2020 AWS Account XXXXXXXXX Dear AWS Customer, You requested that we alert you when the FORECASTED Cost associated with your Development EC2 Monthly Budget is greater than $10.00 for the current month. The FORECASTED Cost associated with this budget is $15.00. You can find additional details below and by accessing the AWS Budgets dashboard. Budget Name: Development EC2 Monthly Budget Budget Type: Cost Budgeted Amount: $10.00 Alert Type: FORECASTED Alert Threshold: &gt; $10.00 FORECASTED Amount: $15.00 </code></pre> </div> <p>That's it! </p> <p><strong>Note:</strong> This implementation uses the version 0.12 of Terraform, you can find the same implementation using the version 0.11 <a href="https://gist.github.com/rribeiro1/9062cec2e0f89564314ecca771ae1111">here</a></p> terraform aws budgets devops