Finout’s CostGuard is a powerful tool for identifying areas within your infrastructure that are ripe for cost optimization. As cost optimization is always a high priority, CostGuard provides a comprehensive solution that is seamlessly integrated with the MegaBill.

With CostGuard, you can easily identify cost optimization opportunities that are relevant for your Virtual Tags, different teams, environments, and cost centers - All in one centralized location. This makes it easier than ever to streamline your cost optimization efforts and achieve maximum savings.

Moreover, CostGuard continuously scans your resources and costs and identifies potential cost-saving opportunities across a range of use cases. With this feature, you have everything you need to optimize your costs and improve your bottom line:

• Almost every organization has resources that were provisioned but are no longer in use. Forgetting to switch off these Idle resources eats away at your tech budget.

• Resources that are in use may be underutilized and exceed your current workload performance and capacity requirements. Rightsizing means that you can downsize these resources without compromising on your service levels.

• Identifying resources that are regularly in use helps to identify potential savings that can be had by signing up for savings plans. The Commitment to using a resource for a specific amount over the agreed period can safely be made based on the CostGuard scans.

Finout helps guard against resource wastage and provides you with quick access to potential savings. You can drill down into the various scan reports to view a list of the resources that require tweaking to actualize the specific savings. CostGuard gives you the information, and the confidence, to modify your resourcing and save money.

The CostGuard feature is available out of the box and generally requires no configuration. If you need additional scans, please contact Finout.

The following potential cost savings are tracked automatically:

How to View Potential Savings

1. Select CostGuard.

2. (Optional) Apply the required Filters.

3. (Optional) Select whether to view the type of potential savings: Idle, Rightsizing, or Commitment.

4. (Optional) Select the required Group By option.

5. To download a list of the potential savings, click and Download CSV. A list of the potential grouped monthly savings and the number of resources per group is downloaded.

6. To download a table of the monthly scans, in the Scans area, click Download CSV. A list of the monthly scans, with the scan names, cost centers, use cases, potential savings per scan, and number of resources per scan, is downloaded.

7. To view a specific scan, in the Scans pane, click on the scan report.

How to View Cost Scans

The key information appears at the top of the scan report, with the detailed resource information listed in the table below.

1. Select CostGuard.

2. Select the required cost scan in the Scans pane.

   
3. (Optional) Apply the required Filters.

4. (Optional) Click Additional Columns, select the required columns, and click Apply.

5. To sort the resources table, click on the required column name. Click again to sort in reverse order.

6. To view resources with a specific status, click the required status button. For more information on statuses see How to manage the resource status.

   

   
7. To return to viewing all resources, click All Resources.

8. Apply any required column viewing options. These column viewing options do not affect the exported cost scan.

How to Export a Cost Scan

You can export the cost scan with the applied filters, visible columns, selected resource status, and in the visible sort order.

1. Select CostGuard.

2. Select the required cost scan in the Scans pane.

3. (Optional) Apply the required Filters.

4. (Optional) Click Additional Columns, select the required columns, and click Apply.

5. To view resources with a specific status, click the required status button.

6. To sort the resources table, click on the required column name. Click again to sort in reverse order.

7. Click the download icon. A CSV file is downloaded.

How to Create a Snapshot of a Cost Scan

You can create a link to a scan report. The link is copied to the clipboard.

1. Select CostGuard.

2. Select the required cost scan in the Scans pane.

3. Click Generate Report. The link is sent to the clipboard.

How to Manage the Resource Status

You can manage the status of each of the resources, allowing you to track whether or not you are working on it, have dismissed it, or are done. A resource starts with a New status. This can be updated to Working on it, Dismissed, or Done. You can view a list of all the resources that you are working on.

CostGuard Statuses:

• New - This resource was identified today as applicable for the scan's recommendation, but the recommendation has not been implemented and remains unresolved.

• Working on it - The recommendation for this resource is currently being implemented.

• Done - The recommendation has been implemented for the resource.

• Dismissed - The recommendation for the resource was identified by the user as irrelevant. When applying this status, the resource's recommendation will be archived and removed from the table unless filtering by this status.

  • The "dismissed" status applies only to the day it was dismissed.

  • If a recommendation is dismissed and later determined by Finout to be incompatible with the scan's threshold, it will no longer be applicable and will automatically be removed from CostGuard, like all other recommendations.

To manage CostGuard statuses:

1. Select CostGuard.

2. Select the required cost scan in the Scans pane.

3. Select a resource and select a Status from the dropdown.

   
4. Select one or more resources and then click Change status and select the required status.

   
5. To view a list of all the resources that you are working on, click To Do.

How to Optimize Kubernetes Resources

The Finout CostGuard scans help you set the correct allocation of resources for Kubernetes. For detailed information on how Finout calculates the cost of a Kubernetes K8 pod, see How Finout Calculates K8s Costs.

The report allows you to play “what-if” analysis and view the costs and savings if you were to lower the requested memory or CPU to the maximum usage or by 10% (P90) or 20% (P80).

1. Select CostGuard.

2. Scroll down to the list of scans, and click the Cost Center column to easily locate the Kubernetes scans.

3. Click on a K8s scan, for example, K8s - Deployment.

4. Click to select a report.

5. The report covers the period of the last 14 days and includes:

1. Cost and waste for the resource over the period.

2. Breakdown of the Memory and CPU usage (Max, Average, and Min) versus the current request over the period.

• To view the impact of reducing the requested memory by 10% (P90) or 20% (P80), click P90 or P80. The New waste and Potential savings are updated.

• To view the impact of selecting the maximum memory (as recorded in the past 14 days), click Max. The New waste and Potential savings are updated.

• Similarly, to view the impact of changing the number of cores, click Max P90 or P80. The New waste and Potential savings are updated.

• To view the CPU/memory ratio for the resource, click the information icon.
• To copy the configuration with the selected changes, click Copy to copy the JSON snippet to the clipboard.

CostGuard is part of Finout’s cost optimization suite that is responsible for generating cost-saving recommendations by continuously scanning your resources and your entire MegaBill, allowing you to identify and leverage potential cost-saving opportunities across various use cases.

CostGuard recommendations are divided into three different use cases:

When you select a CostGuard scan, you will find the query prominently displayed in the top right corner of the screen. This query is customized to your selection, reflecting the specific criteria and filters you have chosen. It serves as a concise summary of the scan's parameters, allowing you to review and verify that the scan aligns with your objectives.

Moreover, the query provides you with valuable insights by presenting all relevant resources identified within the past 7 days. By focusing on recent data, CostGuard ensures that you have access to the most up-to-date information when making informed decisions about cost optimization.

Idle

Almost every organization has resources that were provisioned but are no longer in use. Forgetting to switch off these Idle resources eats away at your tech budget.

Commitment

Identifies resources that are regularly in use helps to identify potential savings that can be had by signing up for savings plans. The Commitment to using a resource for a specific amount over the agreed period can safely be made based on the CostGuard scans.

EC2 - Savings plans

EC2 Instance Savings Plans unlock savings of up to 72% off on-demand prices by committing to a specific instance family in an AWS Region, regardless of instance size (e.g., m5.xlarge, m5.2xlarge, etc.), operating system (e.g., Windows, Linux, etc.), and tenancy type (Host, Dedicated, Default) within the chosen family and region.

With an EC2 Instance Savings Plan, you retain the flexibility to resize your instances within the selected family (e.g., from c5.xlarge to c5.2xlarge) or switch operating systems (e.g., from Windows to Linux). Even transitioning from dedicated tenancy to default does not affect the discounted rate provided by your EC2 Instance Savings Plan.

As part of CostGuard for EC2 Savings plans, our platform conducts scans across all EC2 instances within your account. We prioritize optimizing EC2-compute and on-demand filters, as these areas are vital in cost optimization. The resource names in the platform will include the respective regions to provide accurate insights and optimization recommendations.

For each region type, we have an analysis model that includes a simulator for savings plans.

To use the savings simulator:

1. Select the relevant scan.

2. Set the configuration of the plan: 1-year commitment or a 3-year commitment.

3. Set the payment option: Select partial upfront, all upfront, or no upfront.

Once the simulator is set based on your scan type, a summary is displayed. It includes the current on-demand spend, estimated monthly spend, and potential savings based on the chosen payment option.

The simulator provides an hourly level comparison with the on-demand rate, indicating the coverage provided by each commitment.

Using the simulator, we recommend the price of an hourly commitment based on the analysis.

EC2 - Reserved Instances

We provide the user with the ability to understand the RIs for each one of the instances; how many resources are in each instance (Resources Count), how much of the instances are currently covered by any plan (Current Coverage), the optimal coverage and we provide a recommendation of how many instances, what type of instance family you should purchase and the annual potential savings if you go by the recommendation.

This instance is analyzed on a time frame of the last 30 days.

Compute Savings Plans

Compute Savings Plans can lead to savings of up to 66% relative to on-demand prices by committing to specific hourly compute costs. These plans offer maximum flexibility, regardless of the instance family, region, operating system (e.g., Windows, Linux), tenancy type (such as Host, Dedicated, or Default), or product type (EC2, Fargate, Lambda).

Finout’s CostGuard conducts scans across EC2, Fargate, and Lambda compute. Based on your hourly usage, it recommends the best $/hour rate for you.

Scan Breakdown:

• Payment options- Upfront, partial upfront, or no upfront.

• Saving plan terms- 1 year or 3 years.

From these options, 6 different combination scans are created, each showing how much you could save annually by choosing any one of these options.

For each combination including the payment option and saving plan term, we have an analysis model which includes a simulator for each savings plan.

To use the savings simulator:

1. Select the relevant scan.

2. Select the timeframe (based on the past) for the simulator. Either 7, 30, or 60 days (the default is 30 days).

3. The simulator will provide an hourly level comparison with the on-demand rate. Based on this, CostGuard recommends the optimal $/hourly commitment.

Rightsizing

Resources that are in use may be underutilized and exceed your current workload performance and capacity requirements. Rightsizing means that you can downsize these resources without compromising on your service levels.

K8s- Rightsizing

In Kubernetes scans, waste and potential savings are two critical metrics for understanding and optimizing resource allocation:

• Waste: This represents the difference between the resources requested and the average hourly usage, calculated from minute-by-minute samples. Waste occurs when the requested resources exceed actual usage.

• Potential Savings: This is the cost difference between the current resource allocation and a recalculated allocation based on adjusting resource requests to a selected usage percentile. It highlights the monetary savings achievable through rightsizing. ​ Although both metrics reflect cost inefficiencies, waste is typically higher since resource requests remain unchanged unless actively optimized.

  This model is based on the historical behavior of your environment. In this scan, Finout assigns a dollar value to CPU and Memory usage based on the associated costs of the pods.

Application Calculation

The Application Calculation formula is applied to detect underutilized resources. If the formula output is greater than 0, it indicates underutilization.

New Default Ratios (88% CPU / 12% Memory) Formulas:

-CPU Formula:

- k8s max resource unit price: Price per resource unit (avg of CPU & memory).

- k8s max node cpu weight: CPU weight in the formula.

- k8s waste cores: Unused cores (value > 0 = rightsizing potential).

- Memory Formula:

- k8s max resource unit price: Price per resource unit (avg of CPU & memory).

- k8s max node mem weight: Memory weight in the formula.

- k8s waste mem: Unused memory (value > 0 = rightsizing potential).

Old Default Ratios (50% CPU / 50% Memory) Formulas:

- CPU Formula:

- cpu weight: The weight assigned to CPU in the formula determines how much of the total cost or resource is attributed to CPU.

- node price: The price of a node typically represents the cost of computing resources on that node.

- node cores: The total number of CPU cores available on the node.

- k8s waste cores: The number of unused CPU cores on the node, representing the potential for rightsizing the resources. If this value is greater than 0, it indicates an opportunity to optimize resource allocation.

- Memory Formula:

- mem weight: The weight assigned to memory in the formula, indicating how much of the total cost or resource is attributed to memory.

-node price: The price of a node, representing the cost of the resources on that node, similar to the CPU formula.

-node ram gb: The total amount of RAM (memory) available on the node, measured in gigabytes.

-k8s waste mem: The amount of unused memory on the node, representing the potential for rightsizing. If this value is greater than 0, it suggests an opportunity for resource optimization.

CPU/Memory Simulator

To propose recommended and new Memory and CPU requests, Finout offers a dynamic calculator. This tool enables the manual discovery of various CPU and Memory scenarios, based on the percentile CPU and Memory usage of the samples. For instance, at the 100th percentile, recommendations are based on the maximum CPU and Memory usage within the selected period. At the 85th percentile, recommendations are based on the CPU and Memory levels where 85% of the samples met the criteria during the chosen period.

The simulator provides two graph types for analysis: Overtime Analysis and Histogram View, offering insights into historical usage patterns.

1. Overtime analysis: Each graph, representing CPU and Memory, displays four different metrics:

   • Maximum usage.

   • Average usage across all pods in the selected scan.

   • Minimum usage.

   • Current request levels.

   • A dotted line that represents the simulated configuration of the chosen percentile.

2. Histogram view: To help in deciding whether to update your Memory or CPU, a histogram is also available. This visual representation shows the distribution of samples and indicates the number of samples that would fulfill the new request. ​ Histogram Sample- This represents an hourly aggregation of pod usage, determined by calculating the average of samples taken every minute.

Refer to the relevant documentation to understand how K8s costs are calculated.

AWS- Rightsizing

EBS - gp2

As Amazon encourages more people to transition to gp3, an advanced resource offering potential savings, Finout offers recommendations to users regarding the resources they should migrate from gp2 to gp3. By making this transition, users can potentially save a significant amount, denoted as "X."

RDS

Finout identifies underused RDS instances that can be downsized to a cost-effective alternative. The aim is to select the optimal instance for migration to maximize yearly savings, taking into account metrics like CPU usage and RDS connection count.

EC2

In this scan, Finout identifies underutilized instances that should not be shut down but rather moved to a more cost-effective alternative. The objective is to determine the most suitable instance to migrate to achieve the maximum potential savings on an annual basis.

GCP- Rightsizing

VM

During the VM rightsizing process, Finout analyzes VM CPU utilization data to suggest the most economical machine for optimal cost reduction. Within the calculations, CPU usage is constrained to a maximum of 80%. For predefined machines, we evaluate both standard and custom options. However, with custom machines, we specifically assess the custom configurations.

Snowflake - Rightsizing

Warehouse

During the warehouse rightsizing process, Finout analyzes Snowflake warehouse efficiency by comparing actual usage to billed usage to identify potential cost savings. The evaluation is based on the following key metrics:

• USED_CREDITS – The number of Snowflake credits actually consumed by the warehouse on a given day.

• BILLED_CREDITS – The number of Snowflake credits charged, which may differ from actual usage due to Snowflake’s pricing model.

• Utilization Percentage – Calculated as USED_CREDITS / BILLED_CREDITS, representing the warehouse's efficiency.

A warehouse is considered oversized if its utilization percentage is consistently low, meaning it is billed for more resources than it actually consumes. In such cases, Finout recommends downsizing to a smaller warehouse tier to optimize costs while maintaining performance.

Finout's CostGuard module provides actionable cost optimization insights. CostGuard scans surface idle resources, rightsizing opportunities, and offers commitment purchase recommendations. In order to do this, CostGuard needs read only permissions to certain metrics. The role created during the standard AWS cost data integration has the necessary permissions to perform CostGuard scans and discover linked accounts within the master payer account. However, to run CostGuard scans for resources within linked accounts, you need to create a CloudFormation StackSet that applies the necessary configurations across all linked accounts. This onboarding procedure assumes that the payer AWS account has been onboarded. If it has not, please go through that procedure first as per the instructions in Connect to AWS.

Create a New CloudFormation StackSet

1. Open the AWS CloudFormation console.

1. Choose StackSet then select Create StackSet. The Specify StackSet details step appears.

   For existing Finout AWS integrations: On the Specify template page choose Template is ready, select Amazon S3 URL, specify the following URL, and then click Next. https://finout-public-assets.s3.amazonaws.com/FinoutMetricsReadOnlyRole.json

1. Specify a name for the CloudFormation stack (e.g. finout-readonly-role), add a description, add the External ID in the Parameters section that was provided by Finout, and click Next. The Configure StackSet options step appears.

1. Set the Execution configuration to Active in the Configure stackSet options page and click Next.

2. Specify us-east-1 for the region, set the Deployment options, then click Next.

3. Acknowledge the IAM notice and click Submit on the Review page to launch the new stack.

4. Once the StackSets is complete, you can view one of the stacks from the Stack instances and copy the new role ARN from the Outputs tab.

1. Share the role of ARN with Finout Support.

Adding Permissions Manually

Use the following JSON file to add permissions manually to your accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:ListAccounts",
      "Resource": "*"
    }
  ]
}
}

The latest IAM policy with details about each statement can be found below.

Finout IAM Policy Details

Cloudwatch Metrics

{
  "Effect": "Allow",
  "Action": [
    "cloudwatch:ListMetrics",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:Describe*"
  ],
  "Resource": "*"
},

This policy allows Finout read-only permission to Cloudwatch metrics - these are crucial for all recommendations provided by CostGuard (Idle and Rightsizing recommendations).

EBS Volumes

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeVolumes"
  ],
  "Resource": "*"
},

This section of the policy allows CostGuard to provide recommendations for unattached EBS volumes.

Organization Discovery

{
  "Effect": "Allow",
  "Action": "organizations:ListAccounts",
  "Resource": "*"
} 

This section allows CostGuard to provide recommendations on all your accounts in the organization.

Overview

To use Finout's CostGuard for GCP, Finout needs access to your GCP resource's operational metrics.

This guide assumes that your account is already integrated with GCP as a cost center and that Finout has access to your GCP billing data. If this is not the case, please refer to the GCP onboarding documentation.

The following steps provide instructions for granting Finout access to the necessary metrics, which will enable CostGuard to generate recommendations. The documentation is organized into two sections: one for onboarding an existing project and another for onboarding a new project.

How the Finout Integration Works

1. Finout utilizes a GCP scoping project, granting it access to essential metrics across all relevant projects in your GCP account, with read-only permissions.

   Note: A scoping project is a GCP project configured to access metric scopes from all projects that require monitoring.

2. You need to enable the Finout service account, which is responsible for monitoring your GCP billing, to access the metric scopes of the scoping project.

3. For this seamless integration, Finout has developed a Terraform script specifically designed for this purpose.

Functionality of Finout's Terraform Script

• Specifically applicable to new project creation: The Terraform script initiates by creating a new project within your account, designated as the scoping project, following GCP's recommended practices.

• Enabling monitoring API: It activates the Stackdriver Monitoring API for the newly created scoping project.

• Binding Finout's billing service account to the scoping project: The script assigns the Finout billing service account to the scoping project with the 'Monitoring Viewer' role.

• Linking monitored projects to the scoping project: It facilitates the binding of either all or selected projects in your account to the scoping project for monitoring purposes.

• Granting Finout access to monitored projects: The script assigns the Finout billing service account to all monitored projects, including the scoping project, with the 'Compute Viewer' role.

• Enabling compute engine API: It ensures the activation of the Compute Engine API for all monitored projects, which includes the scoping project as well.

Onboarding an Existing Project

1. Clone Finout’s shared repository- git clone:

   Execute git@github.com:finout-io/finout-onboarding.git to clone Finout’s shared repository.

2. Terraform script usage:

   Use the following Terraform script: gcp/cost-guard/existing-project-onboarding

3. Edit the Terraform state file configuration:

   Modify gcp-cost-guard-onboarding-existing-project/provider.tf file to save the Terraform state file.

   

4. Set up a bucket name:

   In <BUCKET_NAME> input the name of the bucket for storing Terraform state files. If it does not exist, create a new bucket.

5. Configure env.tfvars:

   Edit gcp-cost-guard-onboarding-existing-project/profiles/env.tfvars as follows:

   Use an existing project as the “scoping project” and bind Finout service account to this project:

   a. Edit the profiles/env.tfvars as follows:

   

   b. Run the script with additional parameters:

   • <FINOUT_SERVICE_ACCOUNT> -Retrieve the Finout service account details. Learn how to here.

   • <SCOPING_PROJECT_ID> - Add the existing project ID. Learn how to here.

   • <ADD_MONITORED_PROJECTS> - Add monitored projects to the scoping project. The default value is ‘false’. If you intend to add new projects to the monitoring scope, please change the value to ‘true’ and continue to the section below.

   • <MONITORED_PROJECTS> - Specify which projects will be monitored:

     1. If you wish to define all the organization projects as monitored projects - leave an empty list.

     2. If you wish to define specific projects - fill the "Monitored projected" list with the specific project IDs.

        • Defining monitored projects in this list will not affect the current projects that are being monitored.

6. Run the Terraform script.

7. Validate that the integration is working correctly:

   1. In the GCP Console, check the scoping project under IAM to ensure Finout's service account has the 'Monitoring Viewer' role.

   2. Under Monitoring in the scoping project, verify that all intended projects are added to the Metric Scope.

      
8. Send the scoping project ID and account service to Finout.

   Note: To send the project ID, please reach out to Finout's support team.

Additional help: setting up and running the Finout integration

Get a service account principal

To bind the Finout service account to the scoping project using the Terraform script, we need to be provided with the service account principle:

1. Navigate to the Google Console.

2. Choose IAM & Admin.

   

3. Provide Finout’s service account principal.

   

Get your “scoping project ID”

1. Go to the GCP console to locate your project.

2. Copy its ID (project_id).

   

Script functions

1. The script enables monitoring API (Stackdriver Monitoring API) for the scoping project.

2. Employ Finout’s service account with billing query permissions.

3. Adds 'Monitoring Viewer' role permissions to the desired project.

4. Binds projects as monitored to the scoping project, either fully or partially.

5. Links Finout's billing service account with the 'Compute Viewer' role to all monitored projects, including the scoping project.

6. Enables the compute engine API for all monitored projects, including the scoping project.

Running the script

To run the Terraform script, you must have an Editor role.

1. Login to your GCP Cloud with gcloud auth application-default login.

2. Run the script with the following commands:

• terraform init

• terraform workspace select <workspace>

• terraform apply -var-file "profiles/<environment>.tfvars"

Adding new monitored projects

New projects are not automatically added to the Finout scoping project.

After executing the script, you have the option to add more projects as monitored projects based on your preferred method:

1. If all the organization’s projects are to be monitored, leave the list empty and rerun the script. This will include any new projects automatically.

2. If specific projects are chosen, add their IDs to the “Monitored Projects” list.

   Note: Projects not included will not be monitored.

Onboarding a New Project

1. Clone Finout’s shared repository- git clone: git clone git@github.com:finout-io/finout-onboarding.git

2. Terraform script usage:

   Use the following Terraform script: gcp/cost-guard/new-project-onboarding

3. Edit the Terraform state file configuration:

   Modify gcp-cost-guard-onboarding-new-project/provider.tf file to save the Terraform state file.

   

4. Set up a bucket name:

   In <BUCKET_NAME> - Input the name of the bucket for storing Terraform state files. If it does not exist, create a new bucket.

5. Configure env.tfvars:

   Edit gcp-cost-guard-onboarding-new-project/profiles/env.tfvars as follows:

   Create a new “scoping project” and bind the Finout service account to this project:

   a. Edit the profiles/env.tfvars as follows:

   

   b. Run the script with additional parameters:

   • <FINOUT_SERVICE_ACCOUNT> - Retrieve the Finout service account details. Learn how to here.

   • <SCOPING_PROJECT_ID> - Add a new ID for the scoping project to be created. Default new project id: finout-scoping-project-xxxxxx.

   • <ORG_ID> - Retrieve the organization ID. Show me how.

   • <SCOPING_PROJECT_NAME> - Define a new name for the scoping project to be created. Default new project name: finout-scoping-project.

   • <MONITORED_PROJECTS> - Specify which projects will be monitored:

     1. If you wish to define all the organization projects as monitored projects - leave an empty list.

     2. If you wish to define specific projects - fill the "Monitored projected" list with the specific project IDs.

6. Run the Terraform script.

7. Validate that the integration is working correctly:

   1. In the GCP Console, check the scoping project under IAM to ensure Finout's service account has the 'Monitoring Viewer' role.

   2. Under Monitoring in the scoping project, verify that all intended projects are added to the Metric Scope.

      
8. Send the scoping project ID and account service to Finout.

   Note: To send the project ID, please reach out to Finout's support team.

   Important: This script is designed for onboarding one organization at a time. For multiple organizations, you will need to run the script separately for each organization requiring monitoring.

Additional help: setting up and running the Finout integration

Get a service account principal

To bind the Finout service account to the scoping project using the Terraform script, we need to be provided with the service account principle:

1. Navigate to the Google Console.

2. Choose IAM & Admin.

   

3. Provide Finout’s service account principal (see attached screenshot).

   

Retrieve the organization ID

1. In the Google console, click on the Google Cloud icon in the left upper corner.

   
2. Click on the organization name.

   
3. Copy the organization ID.

   

Script functions

1. The script creates a new project as a scoping project.

2. Enables the monitoring API for the scoping project.

3. Employ Finout’s service account with billing query permissions.

4. Adds 'Monitoring Viewer' role permissions to the desired project.

5. Binds projects as monitored to the scoping project.

How to run the script

To run the Terraform script, you must have an Editor role within GCP.

1. Login to your GCP Cloud with gcloud auth application-default login

2. Run the script with the following commands:

• terraform init

• terraform workspace select <workspace>

• terraform apply -var-file "profiles/<environment>.tfvars"

Assigning Compute Viewer Role to the Service Account

To access the metadata of resources, like underutilized persistent disks, the service account must have the 'Compute Viewer' role.

Adding new monitored projects

New projects are not automatically added to the Finout scoping project.

After executing the script, you have the option to add more projects as monitored projects based on your preferred method:

1. If all the organization's projects are to be monitored, leave the list empty and rerun the script. This will include any new projects automatically.

2. If specific projects are chosen, add their IDs to the “Monitored Projects” list.

   Note: Projects not included will not be monitored.

Required Permissions for GCP Monitoring

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.get

monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Main Metrics

compute.googleapis.com/instance/cpu/utilization

compute.googleapis.com/instance/network/received_bytes_count

compute.googleapis.com/instance/network/sent_bytes_count

cloudsql.googleapis.com/database/memory/usage

cloudsql.googleapis.com/database/network/connections