Skip to content

Add optional billing budgets for AW folder and updated associated docs. #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Calvin-Cheng1 wants to merge 3 commits into
base: main
Choose a base branch
from
+66 −0
Open

Add optional billing budgets for AW folder and updated associated docs. #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
20ebefa
Add optional billing budgets for AW folder and updated associated docs.
Calvin-Cheng1 Jun 8, 2026
cadd3b5
Update budgets.tf with copyright and locals var.
Calvin-Cheng1 Jun 8, 2026
416823f
Update module to billing-account-budget
Calvin-Cheng1 Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions fast/stages-aw/0-bootstrap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,10 @@ For details on configuring the different billing account modes, refer to the [Ho

Due to limitations of API availability, manual steps have to be followed to enable billing export within the billing Google Cloud Project to BigQuery dataset `billing_export`, which will be created as part of the bootstrap stage. The process to share billing data [is outlined here](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-setup#enable-bq-export).

#### Billing Budgets

@aghassemlouei aghassemlouei Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be three or four headings deep?

@Calvin-Cheng1 Calvin-Cheng1 Jun 9, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set it as 4 so it is nested within the Billing Account section


A default billing budget can be created for the top-level folder of the landing zone by setting the `billing_budget_amount` variable. This budget will cover all projects created within the Assured Workload folder (or the "no-compliance" folder if Assured Workloads are disabled). The variable is an object that allows specifying the budget amount and optional threshold rules (defaults to 0.5, 0.75, and 0.9).

### Google Cloud Organization Level Logging

We create Google Cloud Organization level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging Google Cloud Project. In addition, a log sink with an empty filter is included to comply with [Center for Internet Security (CIS) Benchmarks](https://cloud.google.com/security/compliance/cis) related to log sinks.
Expand Down Expand Up @@ -374,6 +378,7 @@ The `fast_features` variable consists of 4 toggles
|---|---|:---:|:---:|:---:|
| [alert_email](variables.tf#L16) | Email to receive log alerts. | <code>string</code> | ✓ | |
| [billing_account](variables.tf#L34) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10; id &#61; string&#10; is_org_level &#61; optional&#40;bool, true&#41;&#10; no_iam &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [billing_budget_amount](variables.tf#L44) | Budget configuration for the AW folder. Includes amount and optional threshold rules (defaults to 0.5, 0.75, 0.9). If null, no budget will be created. | <code title="object&#40;&#123;&#10; amount &#61; number&#10; threshold_rules &#61; optional&#40;list&#40;number&#41;, &#91;0.5, 0.75, 0.9&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [bootstrap_project](variables.tf#L44) | Bootstrap project ID. | <code>string</code> | ✓ | |
| [organization](variables.tf#L260) | Organization details. | <code title="object&#40;&#123;&#10; id &#61; number&#10; domain &#61; optional&#40;string&#41;&#10; customer_id &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [prefix](variables.tf#L275) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | |
Expand Down
47 changes: 47 additions & 0 deletions fast/stages-aw/0-bootstrap/budgets.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

# tfdoc:file:description Billing budgets.

locals {
folder_name = var.assured_workloads.regime != "COMPLIANCE_REGIME_UNSPECIFIED" ? "${google_assured_workloads_workload.primary[0].display_name}" : "${module.no-compliance-folder[0].folder.name}"
}

module "billing-account-budget" {
source = "../../../modules/billing-account"
count = var.billing_budget_amount != null ? 1 : 0
id = var.billing_account.id
budgets = {
aw-folder-budget = {
display_name = "Budget for ${local.folder_name} Folder"
amount = {
units = var.billing_budget_amount.amount
}
threshold_rules = [
for t in var.billing_budget_amount.threshold_rules : {
percent = t
}
]
filter = {
resource_ancestors = [
var.assured_workloads.regime != "COMPLIANCE_REGIME_UNSPECIFIED"
? "folders/${google_assured_workloads_workload.primary[0].resources[0].resource_id}"
: module.no-compliance-folder[0].folder.id
]
}
}
}
}
5 changes: 5 additions & 0 deletions fast/stages-aw/0-bootstrap/terraform.tfvars.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ billing_account = {
id = "012345-67890A-BCDEF0"
}

# Optional Billing budget for the Assured Workload folder. If not set, no budget will be created.
# billing_budget_amount = {
# amount = 1000
# }

# region configuration - this will automatically populate locations for GCS, BigQuery, KMS, and logging buckets
# Default to us-east4 for IL5/FedRAMP compliance - adjust as needed
regions = {
Expand Down
9 changes: 9 additions & 0 deletions fast/stages-aw/0-bootstrap/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,15 @@ variable "billing_account" {
nullable = false
}

variable "billing_budget_amount" {
description = "Optional Budget configuration for the AW folder. Includes amount and optional threshold rules (defaults to 0.5, 0.75, 0.9). If null, no budget will be created."
type = object({
amount = number
threshold_rules = optional(list(number), [0.5, 0.75, 0.9])
})
default = null
}

variable "bootstrap_project" {
description = "Bootstrap project ID."
type = string
Expand Down