CMSgov · juliareynolds-nava · Aug 21, 2025 · Aug 21, 2025 · Aug 22, 2025 · Aug 25, 2025
@@ -0,0 +1,61 @@
+name: tf-cost-anomaly
+run-name: tf-cost-anomaly ${{ (inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule') && 'apply' || 'plan' }}
+
+on:
+  push:
+    paths:
+      - .github/workflows/tf-cost-anomaly.yml
+      - terraform/services/cost-anomaly/**
+  schedule:
+    - cron: "12 14 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      apply:
+        required: false
+        type: boolean
+        description: "Apply the terraform?"
+
+env:
+  TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+defaults:
+  run:
+    working-directory: ./terraform/services/cost-anomaly
+
+jobs:
+  check-fmt:
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - run: tofu fmt -check -diff -recursive .
+
+  plan-apply:
+    needs: check-fmt
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [bcda]
+        env: [test, prod]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        with:
+          role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: tofu init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend
+      - run: tofu plan -exclude=module.sns_to_slack_queue.data.aws_iam_policy_document.sns_send_message -exclude=module.sns_to_slack_queue.aws_sns_topic_subscription.this -out=tf.plan
+        env:
+          TF_VAR_app: ${{ matrix.app }}
+          TF_VAR_env: ${{ matrix.env }}
+      - if: inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main')  || github.event_name == 'schedule'
+        run: tofu apply -auto-approve tf.plan
+      - if: inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+        run: tofu apply -auto-approve tf.plan
@@ -0,0 +1,67 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  function_name = "cost-anomaly-alert"
+}
+
+module "standards" {
+  source      = "github.com/CMSgov/cdap//terraform/modules/standards"
+  app         = "cdap"
+  env         = var.env
+  providers   = { aws = aws, aws.secondary = aws.secondary }
+  root_module = "https://github.com/CMSgov/cdap/tree/main/terraform/services/cost-anomaly"
+  service     = "cost-anomaly"
+}
+
+resource "aws_ce_anomaly_monitor" "account_alerts" {
+  name              = "AccountAlerts"
+  monitor_type      = "DIMENSIONAL"
+  monitor_dimension = "SERVICE"
+}
+
+resource "aws_sns_topic" "cost_anomaly_sns" {
+  name              = "cost-anomaly-topic"
+  kms_master_key_id = "alias/bcda-${var.env}"
+}
+
+resource "aws_ce_anomaly_subscription" "realtime_subscription" {
+  name      = "cost_anomaly_subscription"
+  frequency = "IMMEDIATE"
+
+  monitor_arn_list = [
+    aws_ce_anomaly_monitor.account_alerts.arn
+  ]
+
+  subscriber {
+    type    = "SNS"
+    address = aws_sns_topic.cost_anomaly_sns.arn
+  }
+
+  threshold_expression {
+    or {
+      dimension {
+        key           = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
+        match_options = ["GREATER_THAN_OR_EQUAL"]
+        values        = ["20"]
+      }
+    }
+    or {
+      dimension {
+        key           = "ANOMALY_TOTAL_IMPACT_PERCENTAGE"
+        match_options = ["GREATER_THAN_OR_EQUAL"]
+        values        = ["5"]
+      }
+    }
+  }
+}
+
+module "sns_to_slack_queue" {
+  source = "../../modules/queue"
+
+  name          = "cost-anomaly-alert-queue"
+  sns_topic_arn = aws_sns_topic.cost_anomaly_sns.arn
+
+  app           = "bcda"
+  env           = var.env
+  function_name = local.function_name
+}
@@ -0,0 +1,28 @@
+terraform {
+  backend "s3" {
+    key = "cost-anomaly/terraform.tfstate"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5"
+    }
+  }
+  required_version = "1.10.5"
+}
+
+provider "aws" {
+  alias  = "primary"
+  region = "us-east-1"
+  default_tags {
+    tags = module.standards.default_tags
+  }
+}
+
+provider "aws" {
+  alias  = "secondary"
+  region = "us-west-2"
+  default_tags {
+    tags = module.standards.default_tags
+  }
+}
@@ -0,0 +1,8 @@
+variable "env" {
+  description = "The application environment (test, prod)"
+  type        = string
+  validation {
+    condition     = contains(["test", "prod"], var.env)
+    error_message = "Valid value for env is test or prod."
+  }
+}