Voronenko · March 3, 2021 09:10
diff --git a/aws_billing_policies.tf b/aws_billing_policies.tf
 // https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html
 data "aws_iam_policy_document" "BillingViewAccess" {
  statement {
    actions = [
      "aws-portal:ViewAccount",
      "aws-portal:ViewBilling",
      "aws-portal:ViewPaymentMethods",
      "aws-portal:ViewUsage",
      "budgets:ViewBudget",
      "ce:DescribeNotificationSubscription",
      "ce:DescribeReport",
      "ce:GetAnomalies",
      "ce:GetAnomalyMonitors",
      "ce:GetAnomalySubscriptions",
      "ce:GetPreferences",
      "ce:ListCostCategoryDefinitions",
      "cur:DescribeReportDefinitions",
      "pricing:DescribeServices",
      "pricing:GetAttributeValues",
      "pricing:GetProducts",
      "purchase-orders:ViewPurchaseOrders",
    ]
    effect = "Allow"
    resources = [
      "*",
    ]
  }
 }

 resource "aws_iam_policy" "BillingViewAccess" {
  name        = "BillingViewAccess"
  policy      = data.aws_iam_policy_document.BillingViewAccess.json
  description = "Allow users to view billing data"
 }

 // https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html
 data "aws_iam_policy_document" "BillingFullAccess" {
  statement {
    actions = [
      "aws-portal:*",
      "budgets:*",
      "ce:*",
      "cur:*",
      "pricing:*",
      "purchase-orders:*",
    ]
    effect = "Allow"
    resources = [
      "*",
    ]
  }
 }

 resource "aws_iam_policy" "BillingFullAccess" {
  name        = "BillingFullAccess"
  policy      = data.aws_iam_policy_document.BillingFullAccess.json
  description = "Allow users to have full access to billing data"
 }



 resource "aws_iam_group_policy_attachment" "project-billing-viewers-BillingViewAccess" {
  group      = aws_iam_group.project-billing-viewers.name
  policy_arn = aws_iam_policy.BillingViewAccess.arn
 }

 resource "aws_iam_group_policy_attachment" "project-superusers-BillingFullAccess" {
  group      = aws_iam_group.project-superusers.name
  policy_arn = aws_iam_policy.BillingFullAccess.arn
 }
	// https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html
	data "aws_iam_policy_document" "BillingViewAccess" {
	statement {
	actions = [
	"aws-portal:ViewAccount",
	"aws-portal:ViewBilling",
	"aws-portal:ViewPaymentMethods",
	"aws-portal:ViewUsage",
	"budgets:ViewBudget",
	"ce:DescribeNotificationSubscription",
	"ce:DescribeReport",
	"ce:GetAnomalies",
	"ce:GetAnomalyMonitors",
	"ce:GetAnomalySubscriptions",
	"ce:GetPreferences",
	"ce:ListCostCategoryDefinitions",
	"cur:DescribeReportDefinitions",
	"pricing:DescribeServices",
	"pricing:GetAttributeValues",
	"pricing:GetProducts",
	"purchase-orders:ViewPurchaseOrders",
	]
	effect = "Allow"
	resources = [
	"*",
	]
	}
	}

	resource "aws_iam_policy" "BillingViewAccess" {
	name = "BillingViewAccess"
	policy = data.aws_iam_policy_document.BillingViewAccess.json
	description = "Allow users to view billing data"
	}

	// https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html
	data "aws_iam_policy_document" "BillingFullAccess" {
	statement {
	actions = [
	"aws-portal:*",
	"budgets:*",
	"ce:*",
	"cur:*",
	"pricing:*",
	"purchase-orders:*",
	]
	effect = "Allow"
	resources = [
	"*",
	]
	}
	}

	resource "aws_iam_policy" "BillingFullAccess" {
	name = "BillingFullAccess"
	policy = data.aws_iam_policy_document.BillingFullAccess.json
	description = "Allow users to have full access to billing data"
	}



	resource "aws_iam_group_policy_attachment" "project-billing-viewers-BillingViewAccess" {
	group = aws_iam_group.project-billing-viewers.name
	policy_arn = aws_iam_policy.BillingViewAccess.arn
	}

	resource "aws_iam_group_policy_attachment" "project-superusers-BillingFullAccess" {
	group = aws_iam_group.project-superusers.name
	policy_arn = aws_iam_policy.BillingFullAccess.arn
	}