it-ae-tfmod-kion-account

Audience: Platform Engineers and Infrastructure Developers.

Purpose: Create Kion-specific resources for new accounts.

Overview

This Terraform module creates Kion-specific resources after AWS resources are provisioned. It is called by it-cloud-account-hub and is not intended as a standalone module.

Resources Created

Kion User Group

Creates a user group and associates it with the Azure AD group:

resource "kion_user_group" "account_group" {
  name        = var.account_name
  description = "User group for ${var.account_name}"
  
  idms_id = var.azure_ad_idms_id
  
  saml_assertion_name = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
  saml_assertion_regex = var.ad_group_id
}

Kion Project

Creates a project with budget allocation:

resource "kion_project" "new_project" {
  name         = var.account_name
  description  = "Project for ${var.account_name}"
  ou_id        = var.kion_ou_id
  
  budget {
    amount = var.expenditure
    data   = local.monthly_budget_breakdown
  }
}

Budget Breakdown

The expenditure input is divided into monthly segments using an external Python script for budget planning.

Account Linking (API Call)

Terraform's Kion provider doesn't support account management as resources. A null_resource with local-exec makes an API call:

resource "null_resource" "link_aws_account_to_project" {
  count      = var.is_aws == true ? 1 : 0
  depends_on = [kion_project.new_project]
  
  provisioner "local-exec" {
    command = <<EOT
      curl -X 'POST' \
        'https://kion.cloud.tamu.edu/api/v3/payer/1/link-project-account' \
        -H "Authorization: Bearer $KION_APIKEY" \
        -H 'Content-Type: application/json' \
        -d '{
          "account_email": "${var.account_email}",
          "account_name": "${var.account_name}",
          "account_number": "${var.account_number}",
          "account_type_id": 1,
          "project_id": ${kion_project.new_project.id}
        }'
    EOT
  }
}

Cloud Access Role (CAR)

Creates a CAR for accessing the AWS account through Kion:

resource "kion_cloud_access_role" "admin_car" {
  name                  = "${var.account_name}-admin"
  aws_iam_role_name     = "OrganizationAccountAccessRole"
  project_id            = kion_project.new_project.id
  
  aws_iam_policies {
    id = data.kion_aws_iam_policy.admin.id
  }
  
  user_groups {
    id = kion_user_group.account_group.id
  }
}

Resource Flow

Input Variables

Variable	Type	Description
`is_aws`	bool	Filter for AWS-only resources
`account_name`	string	Account name
`account_number`	string	AWS account ID
`account_email`	string	Account root email
`expenditure`	number	Budget amount
`ad_group_id`	string	Azure AD group object ID

Outputs

Output	Description
`project_id`	Kion project ID
`user_group_id`	Kion user group ID
`car_id`	Cloud Access Role ID

Overview​

Resources Created​

Kion User Group​

Kion Project​

Budget Breakdown​

Account Linking (API Call)​

Cloud Access Role (CAR)​

Resource Flow​

Input Variables​

Outputs​