upd: doc

README.md

@@ -8,8 +8,17 @@ This Terraform module allows you to configure and deploy:
 
 ### Minimal BQ quotas
 ```hcl
+locals {
+  project_id = "PROJECT_ID"  # Replace this with your actual project id
+}
+
+provider "google" {
+  user_project_override = true
+  billing_project       = local.project_id
+}
+
 resource "google_monitoring_notification_channel" "email" {
-  project      = "PROJECT_ID"
+  project      = local.project_id
   display_name = "Test Notification Channel"
   type         = "email"
   labels = {
@@ -22,7 +31,7 @@ module "finops" {
   source  = "artefactory/finops/google"
   version = "~> 0.1"
 
-  project_id = "PROJECT_ID"
+  project_id = local.project_id
 
   quotas = {
     bigquery_quota_tb_per_day_total    = 10  # 10 TiB Per day limit for the project
@@ -33,8 +42,17 @@ module "finops" {
 
 ### BQ quotas with alerts
 ```hcl
+locals {
+  project_id = "PROJECT_ID"  # Replace this with your actual project id
+}
+
+provider "google" {
+  user_project_override = true
+  billing_project       = local.project_id
+}
+
 resource "google_monitoring_notification_channel" "email" {
-  project      = "PROJECT_ID"
+  project      = local.project_id
   display_name = "Test Notification Channel"
   type         = "email"
   labels = {
@@ -47,7 +65,7 @@ module "finops" {
   source  = "artefactory/finops/google"
   version = "~> 0.1"
 
-  project_id = "PROJECT_ID"
+  project_id = local.project_id
 
   quotas = {
     bigquery_quota_tb_per_day_total    = 10  # 10 TiB Per day limit for the project
@@ -70,8 +88,17 @@ module "finops" {
 
 ⚠️ This requires the principals (you and/or a service account) executing this code to be `roles/billing.costsManager` on the billing account used.
 ```hcl
+locals {
+  project_id = "PROJECT_ID"  # Replace this with your actual project id
+}
+
+provider "google" {
+  user_project_override = true
+  billing_project       = local.project_id
+}
+
 resource "google_monitoring_notification_channel" "email" {
-  project      = "PROJECT_ID"
+  project      = local.project_id
   display_name = "Test Notification Channel"
   type         = "email"
   labels = {
@@ -84,7 +111,7 @@ module "finops" {
   source  = "artefactory/finops/google"
   version = "~> 0.1"
 
-  project_id = "PROJECT_ID"
+  project_id = local.project_id
 
   budgets = {
     billing_account_id = "ABCDEF-ABCDEF-ABCDEF"

docs/index.md

@@ -2,6 +2,41 @@ This module Terraforms configurable BigQuery quotas and billing alerts on a GCP
 
 ## Pre-requisites
 
-### [Install Terraform](install_terraform.md)
-### [Log in to GCP with your default credentials](gcp_login.md)
-### Required permissions
+- [Install Terraform](install_terraform.md)
+- [Log in to GCP with your default credentials](gcp_login.md)
+- [Cloud Resource Manager API needs to be activated in your project](https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview)
+
+### Required roles and permissions
+
+####  On the project you want to deploy on:
+
+- Broad roles that will work, but **not recommended** for service accounts or even people.
+  - `roles/owner`
+  - `roles/editor`
+- Recommended roles to respect least privilege principle.
+  - `roles/servicemanagement.serviceConsumer`
+  - `roles/servicemanagement.quotaAdmin`
+  - `roles/serviceusage.serviceUsageAdmin`
+  - `roles/monitoring.notificationChannelEditor`
+- Granular permissions required to build a custom role specific for this deployment.
+  - `monitoring.alertPolicies.create`
+  - `monitoring.alertPolicies.delete`
+  - `monitoring.notificationChannels.create`
+  - `monitoring.notificationChannels.delete`
+  - `servicemanagement.services.bind`
+  - `serviceusage.operations.get`
+  - `serviceusage.quotas.update`
+  - `serviceusage.services.enable`
+  - `serviceusage.services.get`
+
+####  On the billing account:
+!!! info
+    To deploy budget alerts, you will need permissions on the billing account linked with the project. This is not something that can be granted at the project level. It has to be granted on the Billing Account itself.
+
+The principal used to deploy budget alerts will need to be `roles/billing.costsManager`
+
+You will not need this role if you're only deploying quotas.
+
+## Deployment
+- [One-shot](one_shot_deployment.md)
+- [Managed](continuous_deployment.md)

examples/standalone/main.tf

@@ -1,5 +1,14 @@
+locals {
+  project_id = "PROJECT_ID" # Replace this with your actual project id
+}
+
+provider "google" {
+  user_project_override = true
+  billing_project       = local.project_id
+}
+
 resource "google_monitoring_notification_channel" "email" {
-  project      = "PROJECT_ID" # Replace this with your actual project id
+  project      = local.project_id
   display_name = "Test Notification Channel"
   type         = "email"
   labels = {
@@ -12,7 +21,7 @@ module "finops" {
   source  = "artefactory/finops/google"
   version = "~> 0.1"
 
-  project_id = "PROJECT_ID" # Replace this with your actual project id
+  project_id = local.project_id
 
   #  quotas = {
   ##    # Set a 10 TiB Per day limit for the project

main.tf

@@ -9,8 +9,17 @@
 *
 * ### Minimal BQ quotas
 * ```hcl
+* locals {
+*   project_id = "PROJECT_ID"  # Replace this with your actual project id
+* }
+*
+* provider "google" {
+*   user_project_override = true
+*   billing_project       = local.project_id
+* }
+*
 * resource "google_monitoring_notification_channel" "email" {
-*   project      = "PROJECT_ID"
+*   project      = local.project_id
 *   display_name = "Test Notification Channel"
 *   type         = "email"
 *   labels = {
@@ -23,7 +32,7 @@
 *   source  = "artefactory/finops/google"
 *   version = "~> 0.1"
 *
-*   project_id = "PROJECT_ID"
+*   project_id = local.project_id
 *
 *   quotas = {
 *     bigquery_quota_tb_per_day_total    = 10  # 10 TiB Per day limit for the project
@@ -34,8 +43,17 @@
 *
 * ### BQ quotas with alerts
 * ```hcl
+* locals {
+*   project_id = "PROJECT_ID"  # Replace this with your actual project id
+* }
+*
+* provider "google" {
+*   user_project_override = true
+*   billing_project       = local.project_id
+* }
+*
 * resource "google_monitoring_notification_channel" "email" {
-*   project      = "PROJECT_ID"
+*   project      = local.project_id
 *   display_name = "Test Notification Channel"
 *   type         = "email"
 *   labels = {
@@ -48,7 +66,7 @@
 *   source  = "artefactory/finops/google"
 *   version = "~> 0.1"
 *
-*   project_id = "PROJECT_ID"
+*   project_id = local.project_id
 *
 *   quotas = {
 *     bigquery_quota_tb_per_day_total    = 10  # 10 TiB Per day limit for the project
@@ -71,8 +89,17 @@
 *
 * ⚠️ This requires the principals (you and/or a service account) executing this code to be `roles/billing.costsManager` on the billing account used.
 * ```hcl
+* locals {
+*   project_id = "PROJECT_ID"  # Replace this with your actual project id
+* }
+*
+* provider "google" {
+*   user_project_override = true
+*   billing_project       = local.project_id
+* }
+*
 * resource "google_monitoring_notification_channel" "email" {
-*   project      = "PROJECT_ID"
+*   project      = local.project_id
 *   display_name = "Test Notification Channel"
 *   type         = "email"
 *   labels = {
@@ -85,7 +112,7 @@
 *   source  = "artefactory/finops/google"
 *   version = "~> 0.1"
 *
-*   project_id = "PROJECT_ID"
+*   project_id = local.project_id
 *
 *   budgets = {
 *     billing_account_id = "ABCDEF-ABCDEF-ABCDEF"

mkdocs.yml

@@ -7,6 +7,8 @@ plugins:
 
 nav:
   - Home: index.md
-  - User Guide:
-      - One shot deployment: one_shot_deployment
-      - Continuous deployment: continuous_deployment
+  - One shot deployment: one_shot_deployment
+  - Continuous deployment: continuous_deployment
+  - Setup:
+      - Installing Terraform: install_terraform.md
+      - Authenticate Terraform with GCP: gcp_login.md