Adding budgets
How to automatically add budgets and alerts to managed accounts
Task: Add budget to exisiting / new accounts
First, create a new file called “budget.yml” and add a budget constraint of 100$ and respective alerting via email. A sample can be found below (based on this).
Description: "Basic Budget 100$"
Resources:
BudgetBase:
Type: "AWS::Budgets::Budget"
Properties:
Budget:
BudgetLimit:
Amount: 100
Unit: USD
TimeUnit: MONTHLY
TimePeriod:
Start: 1225864800
End: 1926864800
BudgetType: COST
NotificationsWithSubscribers:
- Notification:
NotificationType: ACTUAL
ComparisonOperator: GREATER_THAN
Threshold: 99
Subscribers:
- SubscriptionType: EMAIL
Address: <youremail>
- Notification:
NotificationType: ACTUAL
ComparisonOperator: GREATER_THAN
Threshold: 80
Subscribers:
- SubscriptionType: EMAIL
Address: <youremail>
Outputs:
BudgetId:
Value: !Ref BudgetBase
Using CFCT solution
CFCT = (Customizations for AWS Control Tower Solution)[https://controltower.aws-management.tools/automation/cfct/].
See also https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/welcome.html.
Steps:
- If not done already, go to the s3 bucket “custom-control-tower-configuration-acccountid-region” and download the “_custom_control_tower_configuration.zip” sample archive to your local machine. Unzip.
- Go to the “custom_control_tower_configuration” folder
- Copy your budget.yml to the templates/ folder and rename it to budget.template
- Edit the manifest.yaml as follows - make sure to adjust OU and Region
...
# Control Tower Custom CloudFormation Resources
cloudformation_resources:
- name: myBudget
template_file: templates/budget.template
deploy_method: stack_set
deploy_to_ou: # :type: list
- <YourOU> # OU Name
regions:
- <YourRegion>
...
See also https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/customizations-for-aws-control-tower-developer-guide.pdf for more info.
- Save file and zip Directory
- Upload custom_control_tower_configuration.zip (no underscore!) to your s3 bucket (custom-control-tower-configuration-acccountid-region).
- Code Pipeline is triggered. Wait for pipeline execution. This could take up to 15-20 minutes.
- After pipeline execution is successfully completed, switch to AWS Management Console for the Core member account to validate that the budget is created is the specified member account.
Note: The CFCT solution does support changes of SCPs or CF templates out of the box (S3 Update triggers CodePipeline). However OU StackSet deployments “Auto Deploy” are not yet supported!
Using CloudFormation StackSets
- In the AWS console of your root account, navigate to CloudFormation
- Select StackSets
- Create a new StackSet based on the existing budget CF template
- Select “Service managed permissions”
- Select “Deploy to organizational units (OUs)” - choose OU ID (look up in AWS Organisations)
- Enable Auto Deploy
See also - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html - https://aws.amazon.com/de/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/ for more info.
Using Service Catalog
Note: In this solution, you would have to provide Account IDs manually. Constraints on OUs are not supported yet!
- In the AWS console of your root account, navigate to ServiceCatalog
- Create a new product based on the existing budget CF template
- Create a new portfolio
- Add Constraint “StackSet” and provide dedicated Account IDs - choose AWSControlTowerStackSetRole / AWSControlTowerExecution
- Launch Portfolio
- You can check the progress in CloudFormation by looking for the respective StackSet
