30-minute quickstart¶

This is the fast path from zero to Argmin is ingesting my data. It works for AWS, GCP, or Azure — the shape is identical; only the values and the module directory change.

The whole thing in one sentence

Deploy one read-only Terraform module, prove it's read-only with the bundled verify.sh, and send Argmin the output it prints.

Before the clock starts¶

Have these ready (full checklist on Before you begin):

[ ] Terraform ≥ 1.5 and your cloud CLI installed and authenticated (aws / gcloud / az).
[ ] Admin-level access in the target account/project/subscription (you'll create an IAM role / service account / service principal).
[ ] The onboarding module for your cloud, from infra/<cloud>/onboarding/ in the platform repo.
[ ] An email thread open with contact@argmin.co.

Step 1 — Get your values from Argmin (≈5 min)¶

Email contact@argmin.co telling us which cloud you're connecting. We reply with the cloud-specific values you'll paste into Terraform:

AWSGCPAzure

argmin_account_id — the AWS account Argmin assumes the role from.
external_id — a per-customer string for the sts:ExternalId condition (confused-deputy mitigation).

wif_issuer_uri — Argmin's OIDC issuer URL.
wif_allowed_subjects — the exact OIDC subject(s) Argmin federates from (no wildcards).

federated_credential_issuer — Argmin's OIDC issuer URL.
federated_credential_subject — the subject claim in Argmin's federation token.

Step 2 — Fill `terraform.tfvars` (≈5 min)¶

Copy the terraform.tfvars.example that ships in the module directory, then fill in Argmin's values plus your own resource names (CUR bucket, billing dataset, subscription ID — see your cloud guide).

AWSGCPAzure

aws_region        = "us-east-1"        # region your CUR bucket lives in
argmin_account_id = "<from Argmin>"
external_id       = "<from Argmin>"
cur_bucket_name   = "my-org-cur-bucket"
enable_bedrock_access = true

project_id            = "my-prod-project"
service_account_id    = "argmin-readonly"
use_workload_identity = true
wif_pool_id           = "argmin-pool"
wif_provider_id       = "argmin-provider"
wif_issuer_uri        = "https://<from Argmin>"
wif_allowed_subjects  = ["<from Argmin>"]

subscription_id              = "00000000-0000-0000-0000-000000000000"
use_federated_credential     = true
federated_credential_issuer  = "https://<from Argmin>"
federated_credential_subject = "<from Argmin>"

Step 3 — Apply (≈5 min)¶

cd infra/<cloud>/onboarding   # aws | gcp | azure
terraform init
terraform plan                # review the read-only role/SP it will create
terraform apply

terraform apply prints the outputs you'll send back in Step 5 (role ARN / service-account email / client ID) plus a human-readable granted_* summary — keep that for your audit trail.

Step 4 — Verify the trust boundary (≈2 min)¶

./scripts/verify.sh

This assumes the identity exactly as Argmin will, then exercises one read and one write per granted service. Reads must succeed; writes must fail. The script exits non-zero if any write succeeds — that would be a security finding, not a pass. A clean exit is your proof the integration is read-only.

What "verified" means in detail

Step 5 — Send the outputs to Argmin (≈3 min)¶

Reply to your onboarding email with the terraform output values. Each cloud guide lists the exact fields, e.g. AWS:

role_arn:   <terraform output>
cur_bucket: <bucket name>
region(s):  us-east-1, ...

Step 6 — Argmin confirms (≤ 1 business day)¶

We validate that the role/SP is reachable, start ingestion, and reply confirming data is flowing. Within ~1–2 hours of confirmation you'll see your team roster, cost data, and AI model inventory populate in the Argmin dashboard.

You're done when…¶

[x] terraform apply completed with no errors.
[x] ./scripts/verify.sh exited 0 (reads pass, writes denied).
[x] You've sent Argmin the outputs.
[x] Argmin has confirmed ingestion, and the dashboard shows your data.

Now go deeper on your specific cloud:

AWS Google Cloud Azure