Skip to content

Before you begin

A short checklist so the 30-minute quickstart runs without detours.

Tooling

Tool Version Why
Terraform ≥ 1.5 Deploys the onboarding module
Cloud CLI latest Authenticates Terraform to your account
git any To clone/vendor the onboarding module

Per cloud, the CLI is:

  • AWS CLI v2, authenticated to the target account.
  • The caller needs IAM admin in that account (the module runs iam:CreateRole). Run as a principal with IAMFullAccess or equivalent.
aws sts get-caller-identity   # confirm you're in the right account
  • gcloud SDK, with application-default credentials.
  • The caller needs roles/iam.workloadIdentityPoolAdmin (to create the WIF pool) and the ability to create service accounts.
gcloud auth application-default login
gcloud config set project <project_id>
  • Azure CLI (az), logged in.
  • The caller needs Application.ReadWrite.OwnedBy on the tenant (to create the app/service principal) and Owner/User Access Administrator on the subscription (to assign roles). A Global Administrator can always do this.
az login
az account set --subscription <subscription_id>

Access you'll grant Argmin

You are creating a read-only identity. Nothing here grants write access — and the platform actively prevents it (see Trust & security).

A cross-account IAM role (argmin-readonly-integration, 15-minute session TTL) with read-only access to Cost Explorer, your CUR S3 bucket, the pricing catalog, Bedrock metadata, CloudWatch/CloudTrail, and IAM/Organizations listing.

A service account (argmin-readonly@…) federated via Workload Identity — no exported keys — with bigquery.dataViewer, monitoring.viewer, logging.viewer, and serviceusage.serviceUsageConsumer.

A service principal (argmin-readonly-integration) federated via OIDC — no long-lived secret by default — with Reader, Cost Management Reader, and Monitoring Reader at subscription scope.

Information to gather

Have these handy before Step 2 so you don't have to stop and look them up:

  • [ ] The region your Cost & Usage Report bucket lives in.
  • [ ] Your CUR S3 bucket name (and prefix, if non-default).
  • [ ] Whether you use Bedrock (leave enable_bedrock_access = true if so).
  • [ ] Your project ID and numeric project number.
  • [ ] Your BigQuery billing-export dataset ID (optional, to scope down).
  • [ ] Your subscription ID and tenant ID.
  • [ ] Where Azure OpenAI inference runs — direct, via APIM, or via an Event Hub (decides the optional enable_* flags).

Get the onboarding module

The modules live in the platform repo under infra/<cloud>/onboarding/. Argmin will point you at the exact source (and version) during onboarding; you can vendor it into your own IaC repo or run it in place.

  • AWS: infra/aws/onboarding/
  • GCP: infra/gcp/onboarding/
  • Azure: infra/azure/onboarding/

Each directory contains main.tf, variables.tf, outputs.tf, a terraform.tfvars.example, and scripts/verify.sh.

Continue to the quickstart