add CUR report, use modern expression

sressier · sressier · commit a6aa54d5d0c2 · 2025-09-26T13:31:25.000+02:00
diff --git a/lambdas/functions/iroco2-client-side-scanner/cur.tf b/lambdas/functions/iroco2-client-side-scanner/cur.tf
@@ -0,0 +1,34 @@
+resource "aws_bcmdataexports_export" "CUR" {
+  export {
+    name = "IROCO2-REPORT"
+    data_query {
+      query_statement = "SELECT identity_line_item_id, identity_time_interval, line_item_product_code,line_item_unblended_cost FROM COST_AND_USAGE_REPORT"
+      table_configurations = {
+        COST_AND_USAGE_REPORT = {
+          BILLING_VIEW_ARN                      = "arn:aws:billing::${data.aws_caller_identity.current.account_id}:billingview/primary"
+          TIME_GRANULARITY                      = "HOURLY",
+          INCLUDE_RESOURCES                     = "FALSE",
+          INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY = "FALSE",
+          INCLUDE_SPLIT_COST_ALLOCATION_DATA    = "FALSE",
+        }
+      }
+    }
+    destination_configurations {
+      s3_destination {
+        s3_bucket = aws_s3_bucket.cur_output.bucket
+        s3_prefix = "iroco"
+        s3_region = data.aws_region.current.region
+        s3_output_configurations {
+          overwrite   = "CREATE_NEW_REPORT"
+          format      = "TEXT_OR_CSV"
+          compression = "GZIP"
+          output_type = "CUSTOM"
+        }
+      }
+    }
+
+    refresh_cadence {
+      frequency = "SYNCHRONOUS"
+    }
+  }
+}
diff --git a/lambdas/functions/iroco2-client-side-scanner/s3.tf b/lambdas/functions/iroco2-client-side-scanner/s3.tf
@@ -45,7 +45,7 @@ resource "aws_s3_bucket_policy" "cur_output" {
       {
         Effect = "Allow"
         Principal = {
-          AWS = data.aws_caller_identity.current.account_id
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         }
         Action = "s3:*"
         Resource = [
@@ -61,6 +61,34 @@ resource "aws_s3_bucket_policy" "cur_output" {
           }
         }
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "bcm-data-exports.amazonaws.com",
+            "billingreports.amazonaws.com"
+          ]
+        }
+        Action = [
+          "s3:GetBucketPolicy",
+          "s3:PutObject"
+        ]
+        Resource = [
+          "arn:aws:s3:::${var.cur_output_bucket_name}",
+          "arn:aws:s3:::${var.cur_output_bucket_name}/*"
+        ]
+        Condition = {
+          StringEquals = {
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id,
+          },
+          StringLike = {
+            "aws:SourceArn" = [
+              "arn:aws:bcm-data-exports:us-east-1:${data.aws_caller_identity.current.account_id}:export/*",
+              "arn:aws:cur:us-east-1:${data.aws_caller_identity.current.account_id}:definition/*"
+            ]
+          }
+        }
+      },
       {
         Effect = "Deny"
         Principal = {
